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About this Guide 


Welcome to Qualys CloudView! We’ll help you get acquainted with the Qualys solutions 
for securing your AWS, Azure, and GCP resources using the Qualys Cloud Security 
Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 
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CloudView Overview 


Qualys CloudView provides visibility and continuous security across all of your cloud 
environments. 


With CloudView you'll get these features: 


- Discover assets and resources across all regions from multiple accounts and multiple 
cloud platforms 


- Search resource metadata, view resource details and show associations across resources 
- Out-of-the-box AWS, Azure, GCP policies 


- Continuously assess and report resource misconfigurations by checking against the 
controls from out-of-the-box policies 


- Build your own policies and customize controls to suit your need 


- Ability to view, filter and export misconfigurations 


Qualys Subscription and Modules required 

Check that you have these modules available in your subscription: 

- CloudView 

- Vulnerability Management (only if you want to view host vulnerability information) 
- AssetView 

- Cloud Agents for VM 

- Administration 


If you need access to a module, please contact your Qualys Technical Account Manager 
(TAM). 
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Concepts and Terminologies 


Get familiar with common terms used in CloudView. 


Concept Description 

Policy A set of configuration checks that will assess different resources collected 
from your cloud account. 

Control A configuration check. Each check applies to a specific service/resource. 
Here are some examples: 
- MFA should be enabled for console user - applies to AWS IAM Service and 
AM User Resource 
- Password policy should have upper case letter enforced - applies to AWS 
AM Service 
- Security group should not allow inbound access on port 22 from 0.0.0.0 - 
applies to EC2/VPC services and Security Group Resource 

Service A service is the high level grouping by functional area. Each service consists 
of different entities or resources. 

Resource A resource is an entity that you can work with. Examples include an 


Amazon EC2 instance, IAM User, Security Group. 


Control Passed 


Each control is applicable to a specific resource type. For each control, 
applicable resources are collected. The control checks whether the 
particular attribute of a resource is configured as per best practices. The 
control is passed when the attribute that the control is checking is found 
configured as per the desired configuration for all the applicable resources 
collected. 


Control Failed 


Control is considered failed when an attribute of the control being checked 
is not configured as per the desired configuration for any of the applicable 
resources collected. 


Resource Passed 


Resource is considered passed for a control if it’s attribute is configured as 
per the desired configuration in the control. 


Resource Failed 


Resource is considered failed for a control if it’s attribute is not configured 
as per the desired configuration in the control. 
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Get Started 


Just set up a connector for your cloud environment and that’s it! We’ll start discovering 
resources that are present in your cloud account. You can create AWS, Azure and GCP 
connectors. We’ll walk you through the steps. 


AWS 


Configure AWS connectors for gathering resource information from your AWS account. It 
just takes a couple of minutes. 


Base Account 


The AWS connectors uses Qualys accounts to query the AWS APIs. If you do not wish to 
use the Qualys accounts, you can use the base account feature to use your own AWS 
account for AWS API queries from CloudView. You need to configure your AWS account ID 
and user credential for each base account type. For more information, refer to Base 
Account. 


Steps to Create AWS Connector 


Go to the Configuration > Amazon Web Services tab and click Create Connector. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS ( CONFIGURATION 
1 D 


Configuration 


Amazon Web Services Microsoft Azure Google Cloud Platform Access Management 


Configure base account Group by... v 
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Get Started 
AWS 


Provide a name and description (optional) for your connector. Select an account type for 
your connector: Global, US GovCloud or China. You can choose only one account type per 
connector. 


Note: If you plan to use connector for China account type, ensure that you set up 
a base account. For more information, refer to Base Account. 


< Create AWS Connector 


Connector Details 


Give your connector a name and provide a description (optional) 


Name * 


@ My AWS Connector 


sample connector description 


(2) Select Account Type 
© Global US GovCloud China 
© Polling Frequency 
Configure the interval at which the connector should fetch data from AWS cloud provider. 


Hours Minute: 


4 0 


Select a frequency at which the connector should poll the cloud provider and fetch data. 
By default, the connector polling frequency is configured for every 4 hours. As a result, the 
connector will connect with the cloud provider every 4 hours to fetch the data. 


You can configure frequency from minimum one hour to maximum 24 hours. We 
recommend that you configure frequency of 4 hours or more for optimal use of your 
connector. 


Configuring a low polling frequency (lesser than 4 hours) can affect the performance of 
the connector and may result in AWS API throttling error. 


Note: 

- If you trigger Run for the connector from the quick actions menu, the scheduled 
connector polling (as per the configured frequency) remains unaffected. 

- Configuration of connector polling frequency is enabled only for Cloud Security 
Assessment (CSA) users. 


Now, copy settings from the connector details: Qualys AWS Account ID and External ID. 
You'll need these for creating your IAM role in AWS in the next step. 


To adhere to the AWS vendor requirement best practices, we have modified the format of 
the external ID. AWS requires that vendors provide a unique external ID value amongst all 
their customers when providing a vendor account for a trust relationship. To 
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accommodate this re 


Get Started 
AWS 


quirement and provide flexibility to our customers we have 


implemented the below external ID format. The external ID consists of three parts. Two 
parts are pre-set by Qualys and the third part is editable by the customer. 


< Create AWS Connector | 


(4) Specify cross account ARN 


External ID * 


Configurable External ID String * 


1616345720164 


Create A Role For Cross-Account Access 


1. Log in to Amazon Web Services (AWS) Console. 


2. Go to the IAM service. 
3. Go to Roles and click Create Role. 


4, Under "Select type of trusted entity" choose Another AWS 
Copy account. Then: 


a. Paste in the Qualys AWS Account ID (from connector 
details) 


Copy b. Select Require external ID and paste in the External ID 
(from connector details) 
c. Click Next: Permissions. 


5. Find the policy titled “SecurityAudit” and select the check 
boxes next to it. Click Next: Tags. 


6. Click Next: Review. 


7. Enter a role name (e.g. QualysCloudViewRole) and click 


External ID format: < 
number> 


where, 


Qualys POD>-<Qualys Subscription ID>-<random alphanumeric 


Qualys POD (preset by Qualys) refers to the Qualys Platform associated with your Qualys 
subscription. View Qualys Platform Identifier to know more about Qualys platforms. 


Qualys Subscription ID (preset by Qualys): Your unique Qualys Subscription ID. 


random alphanumeni 


c number: You can use a combination of alphabets (a-z, A-Z) and 


numbers without spaces to generate the unique number. You could use minimum 2 or 
maximum 1024 digits to complete the external ID combination in the new format. The 
special characters supported are:=,.@:/. 


Note: Special characters are not permitted in the random number. 


IMPORTANT: All previ 


ously created connectors continue to work as configured. If the 


customer has to update a connector or create a new connector, they need to provide the 
external ID in the new format. 
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Get Started 
AWS 


Launch your AWS console, and go to IAM > Roles and click Create Role. In the Create role 
window, choose “Another AWS account”. Paste in the Qualys account ID and the External 
ID that you copied in the previous step. Click Next: Permissions. 


Create role @ 27) 


Select type of trusted entity 


T] AWS service Another AWS account @ Web identity . e@ SAML 2.0 federation 


Allows entities in other accounts to perform actions in this account. Leam more 


Specify accounts that can use this role 


Account ID* 805950163170 


Options | Require external ID (Best practice when a third party will assume this role) 


You can increase the security of your role by requiring an optional external identifier, which 
prevents "confused deputy” attacks. This is recommended if you do not own or have 
administrative access to the account that can assume this role. The external ID can include any 
characters that you choose. To assume this role, users must be in the trusted account and 
provide this exact extemal ID. Learn more 


Important: The console does not support using an external ID with the Switch Role feature. If 
you select this option, entities in the trusted account must use the API, CLI, or a custom 
federation proxy to make cross-account iam:AssumeRole calls. Learn more 


Require MFA@ 


* Required Cancel Next: Permissions 


Ensure that you do not opt for Require MFA option when you create a cross-account role 
for CloudView. 


Select the following policies: 
a) Find the policy titled ‘SecurityAudit’ and select the check box next to it. Show me 


b) Create a policy that includes the permissions: ‘eks:ListFargateProfiles’, 
‘eks:DescribeFargateProfile’. Once you create the policy, find the policy and select the 
check box next to the policy. For detailed steps on the policy creation, see Permissions for 
Fargate Profile. 


Note: You need the additional permissions only if you have FargateProfile resources in your 
cloud environment. 


c) Create a custom policy that includes additional permissions (applicable only for Elastic 
File System (EFS), Step Functions, Amazon Quantum Ledger Database (QLDB), Managed 
Streaming for Apache Kafka (MSK), API Gateway, AWS Backup, WAF, and CodeBuild 
resources). Find the custom policy you create and select the check box next to the policy. 
For detailed steps on the creation of custom policy and the required permissions, see 
Create Custom Policy. 
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Click Next: tags and then Next: Review. 


Create role 


Attach permissions policies 


Choose one or more policies to attach to your new role. 


|| @ Refresh | 


Create policy _ | 


Filter: Policy type ~ | Q security 


Policy name v 


~ » E SecurityAuait 


* Required 


1 


Attachments ~ Description 


Get Started 
AWS 


O 


Showing 1 result 


O The security audit template grants access to read security co.. 


Cancel Previous 


Save AWS role and get the ARN: Enter a role name (e.g. QualysCVRole), click Create role. 
Then click on the saved role to view role details and copy the ARN value. 


Create role 


Review 


Role name* 


Role description 


Trusted entities 


Policies 


Permissions boundary 


No tags were added. 


* Required 


Provide the required information below and review this role before you create it. 


QualysCVRole 


Use alphanumeric and '+=,.@-_' characters. Maximum 64 characters. 


Maximum 1000 characters. Use alphanumeric and '+=,.@-_' characters. 


The account 205767712438 


i SecurityAudit 
Sample_Fargate_Policy Œ 


Permissions boundary is not set 


Cancel | Previous 
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Get Started 
AWS 


Go back to your AWS connector in Qualys CloudView and paste the Role ARN value into 
the connector details. 


Role ARN * 6. Click Next: Review. 
© arn:aws‘iam::11111111:CVtestrole| 7. Enter a role name (e.g. QualysCloudViewRole) and click 
Create role 


= 8. Click on the role you just crested to view details. Copy the 
es toes neat Role ARN value and paste it into the connector details. 


Select Create Connector in AssetView check box (optional). Selecting this check box will 
ensure that a replica of the current connector is created and available in AssetView 
module. This will save the efforts of connector creation steps in AssetView module. 


Pre-requisite Permission: User needs access to EC2 Connector page in AssetView module 
and ‘Manage Asset Data Connectors’ permission enabled in AssetView permissions. 


Click Test Connector to verify if the connector can assume the provided role (created by 
user) and successfully authenticate in AWS cloud environment. If the test connection is 
successful, proceed with the connector creation process. If the test connection fails, you 
may need to check and update the credentials you provided for the connection to work. 


Note: Ensure that you have all the pre-requisite permissions, correct cross- 
account role with necessary associated policies with the connector to 
successfully fetch resource details. 


j 


Then click Create Connector. 


(an 


That’s it! The connector will establish a connection with AWS to start discovering 
resources from each region and evaluate them against policies. 


Want to create a role using CloudFormation? 
Download the CloudFormation template from the Create AWS Connector window. 


< Create AWS Connector 


Connector Details 


nd provide a description (optional 1. Download the CloudFormation template. 


Name 2 Log in to Amazon Web Services (AWS) and go to 
CloudFormation. 


My AWS Connector 3. Create stack & upload template 


4. When the stack is complete, copy the Role ARN value from 
the output and paste it into the connector details. 


Sample Connector 


Follow the steps on the screen to create a stack y downloading previously uploaded 
template file. When the stack is complete, copy the Role ARN from the output and paste it 
into the connector details. 
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Base Account 


The AWS connectors uses Qualys accounts to query the AWS APIs. If you do not wish to 
use the Qualys accounts, you can use the base account feature to use your own AWS 
account for AWS API queries from CloudView. You need to configure your AWS account ID 
and user credential for each base account type. 


For example, you have 3 AWS accounts: Central Security Account, Production and 
Development. You can designate the Central Security Account as a base account to set up 
an AWS connector in CloudView to pull the resources from Production & Development 
account. 


Create Base Account 


Before you create a new connector, create a base account for the same account type 
(region). If you do not create a base account, you can still create a connector using Qualys 
account. 


To create an AWS connector that uses your account to query the AWS APIs, you must first 
configure a base account of the same account type (Global, GovCloud, China). If you do 
not create a base account, you can still create a connector but it will use Qualys account 
to query the AWS APIs. 


Go to Configuration > Amazon Web Services and then click Configure Base Account. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Configuration Amazon Web Services [ETE CCRT Ok) e Cee Ee Ge eiCa 


Qq Search... 


ee 
===). 


Click Create and provide title, AWS account ID, access and secret keys. 


Select the account type. You can create only one base account per account type. 


Create Base Account 


Sample_base_account 
11111111111 
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Ensure that user of the AWS account ID for which you configure that base account has 
policies associated in the AWS console. For more information on steps in AWS console, 
refer to Base Account Configuration in AWS Console. 


(4) Select the Use in AssetView option to enable configured base account to be available in 
the AssetView App as well. This will save you from creating a separate base account in 
AssetView. 


Edit Base Account 

Select the base account you want to edit and click the quick action menu, then select Edit. 
You can edit name, AWS account ID, access keys and secret keys. You cannot edit the 
account type. 


Updating Existing Connectors to Use Base Account 


To update the existing AWS connectors using Qualys account to base account usage, you 
need to 


-create a base account using AWS account ID 


-update the Trust Entities for your IAM Roles: On AWS console, go to IAM role > Trust 
relationships and then Edit trust relationship. Ensure that the AWS account ID for which 
you configure that base account matches the account number in trusted entities to 
assume this IAM role. Click Update Trust Policy. 


Edit Trust Relationship 


You can customize trust relationships by editing the following access control policy document. 


Policy Document 


"Version": "2012-10-17" 


p i > Ensure your account number matches with one 
Statement": [ 


you specified during base account creation. 


"Effect": "Allow", 
"Principal": { 
"AWS": "arn:aws:iam: 


Action": "sts:AssumeRole", 
"Condition": { 
"StringEquals": { 

"sts:ExternalId": "1541307767358" 


Once you update the corresponding policy, all your existing connectors using the 
corresponding IAM role will be automatically upgraded to the configured base account. 


What happens if | delete the base account? 


If you delete a base account, all the connectors that are associated with the base account 
will be automatically updated to Qualys account in Qualys Cloud Platform. However you 
need to go to your AWS account, update the account id in Trusted Entities of the IAM roles 
from base account ID to Qualys account ID. 
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Base Account Configuration in AWS Console 


If you plan to use base account for your connectors, there are certain pre-requisites and 
settings that need to be configured on AWS console. The detailed steps and configuration 
required in AWS console for setting up base account is listed below. 


Create IAM User and associate policy in AWS 


On the AWS console, navigate to AWS > Policies and create a policy (for example, 
AssumeRole) that contains the following JSON content. 


Create IAM User. Navigate to Identity and Access Management > Users and then click Add 
user, 


aws Services v Resource Groups v * 


Set user details 


You can add multiple users at once with the same access type and permissions. Learn more 


User name* Qualys-Demo 


© Add another user 


Select AWS access type 
Select how these users will access AWS. Access keys and autogenerated passwords are provided in the last step. Learn more 
Access type*’ wv Programmatic access 


Enables an access key ID and secret access key for the AWS API, CLI, SDK, and 
other development tools. 


AWS Management Console access 
Enables a password that allows users to sign-in to the AWS Management Console. 
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Provide a user name and enable Programmatic access for the user. Click Next: 
Permissions. 


aws Services v Resource Groups v * 


Add er 
\dd use 1 (2) 3) (4 


~ Set permissions 


fe? @ Copy permissions from Attach existing policies 
Add t 
og dd user to group @@® existing user directly 
Create policy 2 
Filter policies v Q AssumeRole Showing 2 results 
Policy name v Type Used as Description 


v > AssumeRole Customer managed Permissions policy (1373) Attach this policy to users to grant them Ass. 


Select Attach existing policies directly and then type the name of the policy that you 
created (AssumeRole) in Filter policies. Select the policy (AssumeRole) you configured and 
then click Next: Tags. 


Add tags if needed (as this is optional). Review the user settings you configured and then 
click Create user. 
Permissions for Fargate Profile 


To fetch information about Fargate profile resources, additional permissions are required. 
You need to assign additional permissions to the IAM role associated with the AWS 
connector to fetch information about the Fargate profile resources in your cloud 
environment. 


You can create a new policy with the required permissions and attach the policy to the 
IAM role associated with the AWS connector. 


Create the policy 


1 - Log in to your Amazon Web Services (AWS) IAM console at 
https://console.aws.amazon.com/iam/ with user that has administrator permissions. 


2 - In the navigation pane, choose Policies. 

3 - In the content pane, choose Create policy. 

4 - Choose the JSON tab. Paste the following text into the JSON text box. 
{ 


"Version": "2012-10-17", 
"Statement": [ 
{ 
"Sid": "InventoryPermissions", 
"Effect": "Allow", 
"Action": | 


"eks:ListFargateProfiles", 
"eks:DescribeFargateProfile" 
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l; 


"Resource": "x" 


} 
5 - Click Next: Tags. 


6 - Provide a name and description for the policy and then click Create policy. For example, 
let us create Sample_Fargate_Policy. 


Create policy 1) (2 © 


Review policy 
Name* Sample_Fargate_Policy 


Use alphanumeric and '+=,.@-_' characters. Maximum 128 characters 


Description Eargate Resource discovery Policy| 


Maximum 1000 characters. Use alphanumeric and '+=,.@-' characters. 
Summary 
Q Filter 
Service v Access level Resource Request condition 
Allow (1 of 273 services) Show remaining 272 
EKS Limited: List, Read All resources None 
Tags 
Key a Value v 


No tags associated with the resource. 


* Required Cancel Previous Create policy | 


The policy is created with required permissions. The next steps is to associate the policy 
with the IAM role associated with the connector. 


Attach Policy To The IAM Role 
Once you create the policy, attach it with the role associated with the connector. 


1 - Log in to your Amazon Web Services (AWS) IAM console at 
https://console.aws.amazon.com/iam/ with user that has administrator permissions. 


2 - In the navigation pane, choose Roles. 
3 - Select the IAM Role being used by the connector. 
4 - Choose the Permissions tab and click Attach Policies. 


5 - Find the policy you created (example: Sample_Fargate_Policy) and click Attach Policy. 
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Create Custom Policy 

You need additional permissions to evaluate controls related to the following resources: 
-Elastic File System (EFS) 

-Step Functions 

-Amazon Quantum Ledger Database (QLDB) 

-Managed Streaming for Apache Kafka (MSK) 

- API Gateway 

- AWS Backup 

- WAF 

- CodeBuild 

Note: This additional permissions are not required for Cloud Inventory users. 


You can create a new policy with the required permissions and attach the policy to the 
IAM role associated with the AWS connector. 


Create the Custom Policy 


1 - Log in to your Amazon Web Services (AWS) IAM console at 
https://console.aws.amazon.com/iam/ with user that has administrator permissions. 


2 - In the navigation pane, choose Policies. 
3 - In the content pane, choose Create policy. 
4 - Choose the JSON tab. Paste the following text into the JSON text box. 


{ 
"Version":"2012-10-17", 
"Statement": [ 
{ 
"Sid": "QualysCustomPolicyPermissions", 

"Effect":"Allow", 

"Action": [ 
"states:DescribeStateMachine", 
"elasticfilesystem:DescribeFileSystemPolicy", 
"qldb:ListLedgers", 
"qldb:DescribeLedger", 
"kafka:ListClusters", 
"codebuild:BatchGetProjects", 
"wafv2:GetWebACLForResource", 
"backup:ListBackupVaults", 

"backup: DescribeBackupVault" 


l; 


"Resource": "x" 
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"Sid":"QualysAPIGatewayGetPermissions", 
"Effect":"Allow", 
"Action":"apigateway:GET", 


" 


Resource":"arn:aws:apigateway:*::/restapis/*" 


] 
} 
5 - Click Next: Tags. 


6 - Provide a name and description for the policy and then click Create policy. For example, 
let us create Sample_Custom_Policy. 


The policy is created with required permissions. The next steps is to associate the policy 
with the IAM role associated with the connector. 


Attach Policy To The IAM Role 
Once you create the policy, attach it with the role associated with the connector. 


1 - Log in to your Amazon Web Services (AWS) IAM console at 
https://console.aws.amazon.com/iam/ with user that has administrator permissions. 


2 - In the navigation pane, choose Roles. 
3 - Select the IAM Role being used by the connector. 
4 - Choose the Permissions tab and click Attach Policies. 


5 - Find the policy you created (example: Sample_Custom_Policy) and click Attach Policy. 
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Editing AWS Connectors 


Go to Configuration > Amazon Web Services and select the connector for which you would 
want to edit the details. From the quick actions menu, select View and go to Connector 
Information tab and click Edit. 


Edit Connector 


Connector Details 


Select Account Type 


Polling Frequency 
Configure the interval at which the connector should fetch data from AWS cloud provider. 
Hours 


Authorization Details 


You can now edit the required details. 


Once you update the required details, you can click Test to verify if the connection to the 
AWS cloud provider is successful with the details you updated. If the test connection is 
successful, click Save and proceed. 


If the test connection fails, you may need to check and update the credentials you 
provided for the connection to work. 


AWS Resource Inventory 


Upon setting up the AWS connector, it starts discovering the resources that are present in 
your AWS account. The inventory and the metadata of the resources is pushed to Qualys 
portal. For list of the resources that are getting collected, refer Resources List. To fetch the 
updated resources, you need to select Run from the quick actions menu for the AWS 
connector. 


What do you achieve? 
- Get centralized visibility of services/resources across your multiple AWS accounts. 
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- Identify services/resources running your AWS account. For list of resources getting 
collected, refer Resources List. 


- Identify the number of resources that are non-compliant. 

- View resource details and their associations with other resources. 

- Locate the resources by querying the resource attributed, account & region etc. 
- Search tagged/untagged resources using AWS tags. 


- Trend chart and time range will help you understand the how the resources are varied 
over the past 7, 30 days. You can also specify the custom range. 
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Resources List 


CloudView will discover and fetch following AWS resources and their corresponding 
attributes. 


- Subnet 

- Network ACL 

- Internet Gateway 

- Load Balancer 

- Instance 

- Route Table 

- S3 Bucket 

- IAM User 

- VPC 

- Auto Scaling Group 
- Security Group 

- Lambda Function 
- RDS 

- EBS Volume 

- EKS Cluster 

- EKS Node Group 

- EKS Fargate Profile 
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Microsoft Azure 


Configure Microsoft Azure connectors for gathering resource information from your 
Microsoft Azure account. It just takes a couple of minutes. 


Let us see what permissions are needed to create Azure connector. 


Pre-requisites 
Before you create an Azure connector, ensure that you have the following permissions: 


- Assign Azure Active Directory permissions to register an application with your Azure 
Active Directory 


- Check Azure Subscription permissions to assign the application to a role in your Azure 
subscription 


Assign Azure Active Directory permissions 


Navigate to Azure Active 

= Directory > User Settings and 

Create a resource qualys then ensure that the App 
registrations are allowed for your 
Azure subscription. 


All services «| A 


Enterprise applications 
Dashboard 


Manage how end users launch and view their 


- If you Azure subscriptions has 
the app registrations setting set 
to No, you need to check 
whether your account is an 

Administration portal admin or user for the Azure AD 

s account. 


All resources 
MANAGE 


# Resource groups Users App registrations 

@ App services 
Function Apps 

® SQL databases 


@® Azure Cosmos DB 


Virtual machines 


ao To check if your account is an 
VEA T admin, go to Overview and look 
at your user information. 


Load balancers 


Storage accounts 


Virtual networks (4 Access panel 


P Azure Active Directory 


Monitor 


« EÊ Switch directory 


© overview ee 


J Getting started qualys-azure 


Azure AD Free 


Advisor 


Security Center 


2) Cost Management + Billing 


MANAGE isai 
Sign-ins 


If your account is assigned to the User role, but the app registration setting is restricted to 
admin users, you will not be permitted to register new apps. In such case, ask your 
administrator to either assign you to the global administrator role, or to enable users to 
register apps. 
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Check Azure Subscription permissions 


In your azure subscription, your account must have Owner access role to assign a reader 
role to the AD app. If your account is assigned the Contributor role, you do not have 
adequate permission and will receive an error when attempting to assign the role to the 
AD application. 


To know the role assigned to you, select your account (refer image) and select My 
permissions. From the Subscription drop-down list, select the subscription for which you 
would want to check permissions and then click the 'Click here to view complete access 
details for this subscription’ link. 


QuALYs-AzURE “Qi 


f Sign out o 
| 
Change password g 
My contact information a] y permissions t x 


My permissions 
Submit an idea 
View my bill 


Switch Directory & es pecs 
a m = | a You are a member of the group 'Demo-Admin (null)' which has 


been assigned the role "Contributor (type BuiltinRole) and has 
access to subscription Qualys Azure Demo 


Click here to view complete access details for this subscription. 


Steps to Create Azure Connector 


On the Configuration tab, select Microsoft Azure > Create Connector. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS 
ss 
2 4 
: -a 
Configuration EEE Microsoft Azure E A e a E E cata 


Provide a name and description (optional) for your connector. Select an account type for 
your connector: Global or US GovCloud. You can choose only one account type per 
connector 


Configure a polling frequency. The polling frequency for a connector decides the rate at 
which the connector should poll the cloud provider and fetch the data. 


Select a frequency at which the connector should poll the cloud provider and fetch data. 
By default, the connector polling frequency is configured for every 4 hours. As a result, the 
connector will connect with the cloud provider every 4 hours to fetch the data. 
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You can configure frequency from minimum one hour to maximum 24 hours. We 
recommend that you configure frequency of 4 hours or more for optimal use of your 
connector. Configuring a low polling frequency (lesser than 4 hours) can affect the 
performance of the connector and may result in Microsoft Azure API throttling error. 


Note: 
- If you trigger Run for the connector from the quick actions menu, the scheduled 
connector polling (as per the configured frequency) remains unaffected. 


- Configuration of connector polling frequency is enabled only for Cloud Security 
Assessment (CSA) users. 


< Create Azure Connector | 


Create Application and get Application ID, Directory ID 


Connector Details Create application in Azure Active Directory and you can then note 


P the application ID and directory ID. 
Give your connector a name and provide a description (optional) 


1. Log on to the Microsoft Azure console. Go to Azure Active 
Directory in the left navigation pane. then App 
Registrations. 


Name * 


My Azure Connector 2. Click New registration and provide these details: 


a. Name: A name for the application (e.g. 
Description My_Azure_Connector) 


Sample description for my Azure Connector rE Salers Doceeees Bt airy 
organizational directory 
3. Click Register. The newly created is displayed with its 
properties. Copy the Application (client)ID and Directory 


A (tenant)IDand paste it into the connector details. 
© Account Type Generate Authentication Key 
@ Global © USGovCloud Acquire Subscription ID 
Polling Frequency 
Configure the interval at which the connector should fetch data from Microsoft Azure cloud provider. 
Hours Minutes 
4 0 


D Authentication Details 


Application ID * 


1d767489-da0c-4948-a285-bf2c708c0586 


Directory ID * 


1d767489-da0c-4948-a285-bf2c708c0586 


Authentication Key * 


Subscription ID * 


XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX 


za = K6) 


Next, you need to configure the application ID, directory ID, authentication key and 
subscription ID from the Microsoft Azure console to paste into your connector details. To 


view the detailed configuration steps, refer to Configuration Steps on Microsoft Azure 
console section. 
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Click Test Connector to verify if the connector can successfully authenticate using the 
provided service principal credentials in Microsoft Azure cloud environment. 


If the test connection is successful, proceed with the connector creation process. If the 
test connection fails, you may need to check and update the authentication details you 
provided for the connection to work. 


Note: Ensure that you have provide the correct authentication details that are set 
up as per the steps listed for the connector to successfully fetch resource details. 


Click Create Connector. 

That’s it! The connector will establish a connection with Microsoft Azure to start 
discovering resources from each region and evaluate them against policies. 
Configuration Steps on Microsoft Azure console 

Let us see the steps needed to be configured on Microsoft Azure Portal: 

Create Application and get Application ID, Directory ID 

Configuring Authentication Key 

Create Secret Key 

Getting Subscription ID 


Create Application and get Application ID, Directory ID 


Create an application in Azure Active Directory. Log on to the Microsoft Azure console and 
go to Azure Active Directory in the left navigation pane, then App registrations. Click New 
registration. 


Microsoft Azure A Search resources, services, and docs 
Home > Qualys, Inc. - App registrations 


Create a resource is Qua 


nc. - App registrations 


© 
« C new region) ® Endpoints 


© Welcome to the new and improved 


Home 
Dashboard 
All services © overview 


FAVORITES i’ Getting started AX Looking to learn how it's change| 
Still want to use App registration 
All resources Manage 


# Resource groups È Users All applications Owned applica} 
6 App Services ay 


Groups O Start typing a name or Application ID 
T sal databases al Organizat elat DISPLAY NAME 
@® Azure Cosmos DB i Roles and administrators on | Demo Application 
E Virtual machines Hi Enterprise applications 
@ Load balancers B Devices © 
E Storage accounts 
Virtual networks 1 iE App registrations (Legacy) 


@ Azure Active Directory @ Identity Governance 


© monitor 


29 


Get Started 
Microsoft Azure 


To register the application, you need to provide few details. 


+ Create a resource 
Pr Home 

[E] Dashboard 

1E All services 

$ FAVORITES 

HE All resources 

(© Resource groups 
Ww Quickstart Center 
© App Services 

<> Function App 

ë SQL databases 
@ Azure Cosmos DB 
E virtual machines 
& Load balancers 
= Storage accounts 
> Virtual networks 
® azure Active Directory 
©) Monitor 

È Advisor 

© security Center 
© Cost Management + Billing 


a Help + support 


« 


Home > qualys-azure - App registrations > Register an application 


Register an application 


* Name 


The user-facing display name for this application (this can be changed later). 


My Azure Connector v 


Supported account types 


Who can use this application or access this API? 


O Accounts in this organizational directory only (qualys-azure) 
© Accounts in any organizational directory 
„~ Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, 


— Xbox, Outlook.com) 


Help me choose... 


Redirect URI (optional) 


We'll return the authentication response to this URI after successfully authenticating the user. 


Providing this now is optional and it can be changed later, but a value is required for most 
authentication scenarios. 


Web v 


[eg hips/myeppcom/auth 


By proceeding, you agree to the Microsoft Platform Policies [Z 


= 


Provide these details: 


- Name: A name for the application (e.g. My Azure Connector) 


- Supported account types: Select Accounts in any organizational directory. 


Click Register. The newly created application is displayed with its properties. 


Home > Qualys, Inc. - App registrations > My Azure Connector 
ine My Azure Connector 
d 


| P Search (Ctri+/) 


® Endpoints 


] S Ü Delete 


I Overview 


dà Quickstart 


Manage 
E Branding 


9) authentication 


Display name 
My Azure Connector 


Application (client) ID 
ee261a8d-bed8-4564-a830-9d88df5ba2e9 


Directory (tenant) ID 
81a9ef9a-9a93-4b00-886a-8952603bc029 


Object ID 
22124946-7205-46d3-81 1d-69839703ed51 


» 


Supported account types 
Multiple organizations 


Redirect URIs 
Add a Redirect URI 


Managed application in local directory 
My Azure Connector 


Copy the Application (client) ID and Directory (tenant) ID and paste it into the connector 


details. 
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You must provide permission to the new application to access the Azure Service 


Management API and create a secret key. 


Provide permission: 


-Select the application that you created and go to API permissions > Add a permission. 


-Select Azure Service Management API in Microsoft APIs for Request API permissions. 


-Select user impersonation permission and click Add permission. 


Home > - App registrations > My Azure Connector - API permissions Request API permissions 
-a My Azure Connector - API permissions 


Select an API 


« eae 
| Microsoft APIs | 


P Search (Ctri+/) APIs my organization uses My APIs. 


API permissions 


iE overview Applications are authorized to use APIs by requesti 


rant/deny access. 
dè Quickstart a y PÀ 


d : 
{+ Add a permission [J 


Commonly used Microsoft APIs 


Microsoft Graph 
Take advantage of the tremendous amount of data in Office 365, Enterprise Mobility + 


Manage 
i RT San wee Security, and ies ee Access Azure AD, Excel, Intune, Outlook/Exchange, OneDrive, 
E Branding OneNote, SharePoint, Planner, and more through a single endpoint. 
¥ Microsoft Graph (1 
D Authentication PAN 
È Certificates & secrets UserRead Azure Rights Management 


QJ Azure DevOps 


Integrate with Azure DevOps and Azure 
DevOps server 


Services 


Allow validated users to read and write 
protected content 


> API permissions Oo 


@® Expose an API 


These are the permissions that this application requ 
able permissions dynamically through code. See bi 


E owners 
Data Export Service for 
Microsoft Dynamics 365 
Export data from Microsoft Dynamics 
CRM organization to an external 
destination 


Grant consent 


==] Azure Storage 


Secure, massively scalable object and 
data lake storage for unstructured and 
semi-structured data 


Mi Manifest 


To consent to permissions that require admin const 


Support + Troubleshooting directory. 


X Troubleshooting 


AA Azure Service Management 


Programmatic access to much of the 
functionality available through the Azure 
portal 


-e Dynamics 365 Business Central 


Programmatic access to data and 
functionality in Dynamics 365 Business 
Central 


Select required Delegated Permissions, click Select and then click Done. 


Request API permissions > 


< All APIs 


Azure Service Management 
A https://management.azure.com/ Docs [4% 


What type of permissions does your application require? 


Delegated permissions 
Your application needs to access the API as the signed-in user. 


Select permissions expand all 


Type to search 
| ype to search 


PERMISSION ADMIN CONSENT REQUIRED 


z user_impersonation 
Access Azure Service Management as organization users (preview) @ 


= 


Click Add a permission. 
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Select Microsoft Graph in Microsoft APIs for Request API permissions. 


Home > Doc-App - API permissions Request API permissions 


-a Doc-App - API permissions 
Select an API 


| « 
Ctri+, | gA Microsoft APIs APIs my organization uses My APIs 
9 API permissions — 


iE Overview Applications are authorizedt Commonly used Microsoft APIs 
all the permissions the applic 


‘ee, S 
(CF naa parison) 
Eria penison 


API / PERMISSIONS NAME 


á Quickstart 


Microsoft Graph 


cB x, & 
Take advantage of the tremendous amount of data in Office 365, Enterprise Mobility + fe E * 
Security, and Windows 10. Access Azure AD, Excel, Intune, Outlook/Exchange, OneDrive, & 
OneNote, SharePoint, Planner, and more through a single endpoint. E S 


Manage 


E Branding 


vMi ft Graph (1) 
D Authentication licrosoft Graph (1) 


UserRead.All = 
Ë Certificates & secrets ‘oil Azure Data Lake QJ Azure DevOps Q Azure Key Vault 
> API permissions These are the permissions th Access to storage and compute for big Integrate with Azure DevOps and Azure Manage your key vaults as well as the 
able permissions dynamically data analytic scenarios DevOps server keys, secrets, and certificates within your 
@® Expose an API Key Vaults 
IE Owners 
& Roles and administrators (Previ.. Grant consent MA, Azure Service Management PSD) Azure Storage ogo Dynamics 365 Business Central 
Hl Manifest To consent to permissions th Programmatic access to much of the Secure, massively scalable object and Programmatic access to data and 
functionality available through the Azure data lake storage for unstructured and functionality in Dynamics 365 Business 
portal semi-structured data Central 


Support + Troubleshooting 


Select Application permissions and expand User permissions and select User.Read.All 
permission and click Add permissions. 


A confirmation notification “Permissions have changed. Users and/or admins will have to 
consent even if they have already done so previously.” is displayed on success. 


Create Secret Key 


-Select the application that you created and go to Certificates and Secrets > New client 
secret. 


-Add a description and expiry duration for the secret key (recommended: Never) and click 
Add. 
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The value of the key appears in the Value field. 


Home > - App registrations > My Azure Connector - Certificates & secrets 
? My Azure Connector - Certificates & secrets x” x 


P Search (Ctrl+ 


« 
| Add a client secret 


1B Overview 
Description 
®& Quickstart Type a description for the secret key 
Manage Expires 
los 
©) In 1 year 
E Branding 2 


©) In 2 years 
D Authentication @ 
? Certificates & secrets 


> API permissions 


@ Expose an API mawra inni umre ae 
E Owners 
E Manifest Client secrets 


A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as 
application password. 


x Troubleshooting 4 FiA D @ 
jew client secr 
A 


3 New support request 


Support + Troubleshooting 


DESCRIPTION EXPIRES VALUE 


No client secrets have been created for this application. 


Copy the key value at this time. You won’t be able to retrieve the key later. Note 
down the secret key and store it securely with you. You’ll need to provide the key 
value with the application ID to log on as the application. 
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Getting Subscription ID 


Grant permission for the application to access subscriptions. Assign a role to the new 
application. The role defines the permissions for the new application to access 
subscriptions. Repeat these steps to add more subscriptions. 


On the Microsoft Azure portal, navigate to Subscriptions. 


Microsoft Azure P Subscriptions 


. Services 
Create a resource Azure services 
Home =z A 
CI € Event Grid Subscriptions 
B=) Dashboard Virtual machines —_ [@) Resource groups 
All services © Manage subscriptions in the Billing/Account Center 
Set Resources 


E ey 


Select the subscription for which you want to grant permission to the application and note 
the subscription ID. To grant permission to the application you created, choose Access 
Control (IAM). 


Home > Subscriptions > Azure-Qualys-Demo - Access control (IAM) 


® Azure-Qualys-Demo - Access control (IAM) 


J 
uM Subs 
© overview ints Denyassignments Classic administrators Roles 
-aaministrator 
E Activity lo 1 Add co-ad strat © 
aa Access control (IAM) Check access 
Review the level of access a user, group, service principal EA Add a role assignment 
X Diagnose and solve problems or managed identity has to this resource. Learn more 4 
Grant access to resources at this scope by 
[è] Security Find @ assigning a role to a user, group, service 
Azure AD user, group, or service principal v principal, or managed identity. 
* Events z —— — 
Search by name or email addres v | aa | 
Learn more [4 
Cost Management B 


$ Cost analysis 
® View role assignments 


z 
® Budgets e 

RB View the users, groups, service principals 
® Advisor recommendations and managed identities that have role 


assignments granting them access at this 
Billing scope. 


i A 
Invoices ~ View Learn more [4 


Assign two roles (Reader role and a custom role to the application). 
Assign Reader Role 
a - To grant permission to the application you created, choose Access Control (IAM). 


b - Go to Add > Add a role assignment. Pick the role as Reader. A Reader can view 
everything but cannot make any changes to the resources of a subscription. 


c - Select Azure AD user, group, or service principal in Assign Access to dropdown. 
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d - Type the application name in Select drop-down and select the application you created. 
20 
Reader v 
Assign access to @ 
Azure AD user, group, or application v 
Select © 
Azure connector v 
Selected members 
iF | Azure connector Satie 


e - Click Save to finish assigning the role. You'll see your application in the list of users 
assigned to a role for that scope. 


Assign Custom Role 
Before you assign the custom role, create the custom role (QRole). Create Custom Role 


a - Go to Add > Add a role assignment. Pick the custom role you created (QRole). The 
custom role can view but cannot make any changes to the resources of a subscription. 


b - Select Azure AD user, group, or service principal in Assign Access to dropdown. 
c - Type the application name in Select drop-down and select the application you created. 


d - Click Save to finish assigning the role. You'll see your application in the list of users 
assigned to a role for that scope. 


Copy the subscription ID you noted and paste it into the connector details in the Qualys 
Azure Connector screen and then click Create Connector. 


Create Custom Role 


Perform the Azure CLI Shell commands. Create a JSON file with following content: Edit the 
content and add Subscription ID. 


{ 
"Name": "QRole", 
"TsCustom": true, 
"Description": "Role for Qualys Connector", 
"Actions": 
[ 
"Microsoft.Web/sites/config/list/action" 
l, 
"NotActions": [ ], 
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"AssignableScopes": 


[ 
"/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" 


] 
} 


Run command: 


az role definition create --role-definition <Role-Definition- 
Json file> 


Note: These additional permissions are required for control evaluation for CID 
50047/50084, covered as a part of custom role. 


References 
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli 


https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role- 
powershell 


https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments- 
portal 
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Editing Microsoft Azure Connectors 


Go to Configuration > Microsoft Azure and select the connector for which you would want 
to edit the details. From the quick actions menu, select View and go to Connector 
Information tab and click Edit. 


Edit Connector x 


Connector Details 


Polling Frequency 


rval at which the connector should fetch data from Microsoft Azure cloud provider. 


ng frequency (less than 4 hours) may result in Microsoft Azure API throttling error. 


Authentication Details 


coce | M 
You can now edit the required details. 


Once you update the required details, you can click Test to verify if the connection to the 
Microsoft Azure cloud provider is successful with the details you updated. If the test 
connection is successful, click Save and proceed. 


If the test connection fails, you may need to check and update the authentication details 
you provided for the connection to work. 


Azure Resource Inventory 


Upon setting up the Azure connector, it starts discovering the resources that are presentin 
your Azure account. The inventory and the metadata of the resources is pushed to Qualys 
portal. For list of the resources that are getting collected, refer Resources List. To fetch the 
updated resources, you need to select Run from the quick actions menu for the Azure 
connector. 


Resources List 


CloudView will discover and fetch following Azure resources and their corresponding 
attributes. 


37 


Get Started 
Microsoft Azure 


- SQL Server 

- Function App 

- SQL Server Database 

- Resource Group 

- Virtual Network 

- Virtual Machine (virtual machines created using Resource Manager only) 
- Network Security Group 

- Web App (App Service) 
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Google Cloud Platform 
Configure a Google Cloud Platform (GCP) connector for gathering resource information 
from your Google Cloud Platform project. It just takes a couple of minutes. 


Steps to Create GCP Connector 


Go to the Configuration > Google Cloud Platform and then click Create Connector. 


CloudView + DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


2 1 


: = = 
Configuration uh ea eevee Google Cloud Platform Peete Curt Cuca 


oe 


(1) Provide a name and description (optional) for your connector. 


p 
Ill 


< Create GCP Connector 


Connector Details 


Give your connector a name and provide a description (optional). 


Description 


Sample description 


3982/4000 characters remaining 


Polling Frequency 
Configure the interval at which the connector should fetch data from GCP cloud provider. 


Hours Minutes 


4 v 0 


Authentication Details 


Project ID * 


sample-project1234 


© Configuration File 


A response_1594272962886.json 


(2)Select a frequency at which the connector should poll the cloud provider and fetch 
data. By default, the connector polling frequency is configured for every 4 hours. As a 
result, the connector will connect with the cloud provider every 4 hours to fetch the data. 
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You can configure frequency from minimum one hour to maximum 24 hours. We 
recommend that you configure frequency of 4 hours or more for optimal use of your 
connector. Configuring a low polling frequency (lesser than 4 hours) can affect the 
performance of the connector and may result in GCP API throttling error. 


Note: 

- If you trigger Run for the connector from the quick actions menu, the scheduled 
connector polling (as per the configured frequency) remains unaffected. 

- Configuration of connector polling frequency is enabled only for Cloud Security 
Assessment (CSA) users. 


(3) Provide a project Id for your GCP connector. 


You can provide a distinct project ID for a GCP connector. You can use same service 
account for multiple projects. As a result, you can create multiple GCP connectors with 
same service account but distinct project IDs. 


For detailed steps on using the same service account for multiple projects, see Assign 
Service Account to other projects. 


4) Create a service account and download the configuration file from the GCP console and 
then upload it to Qualys Cloud Platform to complete GCP connector creation. 


5) Click Test Connector to verify if the connector can successfully authenticate using the 
provided service account credentials in GCP cloud environment. If the test connection is 
successful, proceed with the connector creation process. If the test connection fails, you 
may need to check and update the authentication details (configuration file) you uploaded 
for the connection to work. 


Note: Ensure that you have uploaded the configuration file with correct project 
details for the connector to successfully fetch resource details. 


(6) Click Create Connector. 


That’s it! The connector will establish a connection with GCP to start discovering 
resources from each region. 


Let us see the steps to download the configuration (JSON) file from GCP console and set up 
the required authentication details. You need to enable access to the necessary APIs from 
the API library. 


Enable Access to Compute Engine and Resource Manager API 
(1) Navigate to Google Cloud Platform (GCP) console. 


(2) Select the organization. 
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(3) Select a project or create a new project. Ensure that you select the correct project. 


Select from auatys.com v (2) 


qualys.com 


| Q search projec © 


No organization 
RECENT kar 
Name ID 
vg cv360--P @ my-project-1513669048551 


Eh qualys.com @ 199508700578 


(4) In the left sidebar, navigate to APIs and Services > Library. 


Google Cloud Platform $e CV360-PP w 


Y Marketplace 
| 


API APIs & Services x > 
W 


Support > 


Dashboard 

Ý Library 
Credentials 

8 IAM&admin > 

Œ Getting started 


@ Security > 


DASHBOARD 


(5) In API library, click the following APIs and enable them. If you need help finding the 


API, use the search field: 

- Compute Engine API 

- Cloud Resource Manager API 
- Kubernetes Engine API 

- Cloud SQL Admin API 


41 


Get Started 
Google Cloud Platform 


- BigQuery API 

- Cloud Functions API 

- Cloud DNS API 

- Cloud Key Management Service (KMS) API 

- Cloud Logging API 

- Stackdriver Monitoring API 

- Service Usage API 

Create Service Account and Download Configuration File 
(1) Login to the GCP console and select a project. 


(2) From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE 
SERVICE ACCOUNT. Provide a name and description (optional) for the service account and 
click Create. 


Ro 

= Google Cloud Platform $e CV360-PP ~ Q 

yg IAM & admin Create service account 

2 IAM @ Service account details — @ Grant this service account access to project (optional) 


@ identity & Organization 


Organization policies Service account details 
Service account name 
l=) Quotas Name of your service account 


Display name for this service account 
%9 Service accounts 


Service account ID 
Labels name-of-your-service-account @my-project-1513669048551.iam.gs X CG 


Privacy & Security Service account description 
This is optional description 


Describe what this service account will do 


% 
© 
% Settings 
© 


Cryptographic keys 


Æ  Identity-Aware Proxy 
ne x CANCEL 
= 


Ralac 
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(3) Choose Viewer and Security Reviewer role to assign at least reader permissions to the 
service account and click Continue. 


Google Cloud Platform 8e cv360-PP v Q Search products and resources 
8 IAM & Admin Create service account 
“2 IAM 5 © Service account details — ð Grant this service account access to project (optional) — 


Identity & Organization © Grant users access to this service account (optional) 


e 
A, Policy Troubleshooter 
=] 


Organization Policies Service account permissions (optional) 


Grant this service account access to CV360-PP so that it has permission to complete 


a uotas : : : 
Ba specific actions on the resources in your project. Learn more 
eĒ Service Accounts Role Condition 
i J 
Viewer 7 Add condition 
® Labels Read access to all resources. 
% settings Role Condition _ 
Security Reviewer Vv Add condition u 
i] Privacy & Security Security reviewer role, with permissions to 
get any IAM policy. 
@ Cryptographic Keys 


-+ ADD ANOTHER ROLE 
HE sidentity-Aware Proxy 


<I CONTINUE CANCEL 


(4) Click CREATE KEY and select JSON as Key type and click Create. 


—— 
| Create key (optional) 


Download a file that contains the private key. Store the file securely because this key 
can't be recovered if lost. However, if you are unsure why you need a key, skip this step 
for now. 


+ CREATE KEY 
E Create key (optional) 


Ca CANCEL Download a file that contains the private key. Store the file securely because this key 
can't be recovered if lost. However, if you are unsure why you need a key, skip this step| 
for now. 


~ | Key type 
© JSON 


Recommended 


O P12 


For backward compatibility with code using the P12 format 


CREATE CANCEL 


A message saying “Private key saved to your computer” is displayed and the JSON file is 
downloaded to your computer. Click Close and then click Done. 


43 


Get Started 
Google Cloud Platform 


Upload the configuration (JSON) file and click Create Connector to complete GCP 
connector creation in Qualys Cloud Platform. 
Assign Service Account to other projects 


You can use an existing service account for setting up connectors for additional projects. 
Simply, assign the service account as a member in IAM at the organization level or at the 


project level. 

Let us view the steps for the same. 

Assign Service Account in IAM at project level 
Login to Google Cloud Platform (GCP) console. 
From the left navigation bar, select IAM & admin. 


1 
2 
3) Select the project from the drop-down menu in the top-left corner. 
4) In the IAM menu bar, click +ADD. 

5 


In the New Members box, type the name of the service account and click the suggested 
value. 


6) In the Select a role drop-down box, select the appropriate role. Choose Viewer role and 
Security Reviewer role to assign at least reader permissions to the service account. 


7) Click Save. 

8) To add additional projects, repeat steps 3 through 7. 
Assign Service Account in IAM at organization level 
Login to Google Cloud Platform (GCP) console. 

n the left navigation bar, select IAM & admin. 


1 
2 
3) Select your organization from the drop-down menu in the top-left corner. 
4) In the IAM menu bar, click +ADD. 

5 


n the New Members box, type the name of the service account and click the suggested 
value. 


6) In the Select a role drop-down box, select the appropriate role. Choose Viewer role and 
Security Reviewer role to assign at least reader permissions to the service account. 


7) Click Save. 
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Go to Configuration > Google Cloud Platform 


and select the connector for which you would 


Connector Details 


My GCP Connector 


| Polling Frequency 


figure the interval at which the connector should fetch data from GCP cloud provider. 


4 0 


Authentication Details 


browse 


a example_1 json 


(cc | i E 


GCP Resource Inventory 


want to edit the details. From the quick actions 
menu, select View and go to Connector 
Information tab and click Edit. 


You can now edit the required details. 


Once you update the required details, you can 
click Test to verify if the connection to the GCP 
cloud provider is successful with the details you 
updated. If the test connection is successful, 
click Save and proceed. 


If the test connection fails, you need to check 
and update the authentication details 
(configuration file) you uploaded for the 
connection to work. 


Upon setting up the Google Cloud Platform (GCP) connector, it starts discovering the 
resources that are present in your GCP account. The inventory and the metadata of the 
resources is pushed to Qualys portal. For list of the resources that are getting collected, 
refer Resources List. To fetch the updated resources, you need to select Run from the quick 


actions menu for the GCP connector. 


Resources List 


CloudView will discover and fetch following GCP resources and their corresponding 


attributes. 

- VM Instances 
- Networks 

- Firewall Rules 
- Subnetworks 


- Cloud Functions 
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Enable-Disable Connectors 


We give you the flexibility to enable or disable a connector with a single-click. When you 
disable a connector, it is not eligible for auto-run or manual run. You can view 
information, edit or delete a disabled connector. 

Disable Connector 

1) Go to Configuration tab and then the cloud provider tab, where the connector belongs. 


2) Select the connector to be disabled and from the quick actions menu, select Disable 
from the quick actions menu. 


3) Click on the confirmation message. The connector gets disabled. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 
Configuration Amazon Web Services OnE r Google Cloud Platform [Nee cea EGET uu 
| 
| 
| 


Quick Actions v 


= Actions (1) ¥ View E Group by... v 


Run 


GCP my-project- Success 
ee Last Synced On February 3, 2021 6:38 PM 
Assign Group 
zeta zeta-environs Success 
Show Resources Last Synced On February 16:37 PI 
GCP Demo Show Errors gcp -demo Success 
Z e 


Note: Automatic or manual connector run skips the disabled connectors. Only connectors 
with enabled state are executed during connector run. 

Enable Connector 

1) Go to Configuration tab and then the cloud provider tab, where the connector belongs. 


2) Select the connector to be disabled and from the quick actions menu, select Enable 
from the quick actions menu. 
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3) Click on the confirmation message. The connector gets enabled. 


CloudView ~ DASHBOARD RESOURCES MONITOR’ POLICY REPORTS RESPONSES CONFIGURATION 
| 
Configuration Amazon Web Services Wieterinieeaicm™s Google Cloud Platform Access Management 
Q Search... Q 
m~ Quick Actions wv —— 
= Actions (1) v a | Group by... w 
View | 
GROUPS PROJECT ID STATUS 
g my-project B Success 
Delete Last Synced On February 3, 2021 6:38 PM 
Assign Group 


zeta zeta-environs- 


Show Resources Last Synced On February 3, 2021 6:37 PM 


GCP Demo Show Errors gcp- demo Disabled 
Last Synced On February 1, 2021 6:11 PM 
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Managing Connector Access for Users 


You can create users and then assign a role to it to grant access as per the role you define. 
We support multiple user roles. 


- User with Manager role: The most privileged users are users with Manager role as they 
have full privileges and access to all resources in the subscription. Only users with 
Manager role can create users and assign roles. 


- Sub Users: There are two types of sub users that a user with Manager role can create. 
Depending on the permissions you assign to the role, you could categorize the sub users 
into all privileges or read only privileges. 


All privilege: Sub User will have all the privileges in CloudView except creating and 
managing other users. For more information, refer to Sub User (All Privileges). 


Reader privileges: Sub User with Reader role can only view the data displayed in 
CloudView module. 


User Permissions 


The following table provides a comparison of privileges granted to user roles. 


Operations User Sub User Sub User 
(Manager (Reader role) 
role) 

Create New Users Yes No No 

Grant Access to Sub- Users Yes No No 

Update Access of Existing Yes No No 

Users 

Create and Assign Groups Yes No No 

to Connectors 

Manage Connectors Yes No No 

Manage Policies and Yes Yes No 

Controls 

Customize Controls Yes Yes No 

Reports Yes Yes View only 

Dashboards Yes Yes Yes 
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New Users: Scope and Permissions 


Only users with manager role have permissions to create new users and grant them 
permissions. Let us view the high level steps. 


Create User 
Assign Role to Users 
Manage Access for Users (Grouping Connectors) 


Manage Access for Users 


Create User 


Users with manager role can add users, up to the number allowed for the subscription 
service level. 


Quick Steps 


(1) Create a Reader User: Navigate to Administration module > User Management > Create 
User > Create Reader User. 


Administration 


Users Action Log 


Search for users by ent 


v 


E User Management 


properties. 


Users Breakdown All (12) 


User Management 


Activity 


Role Management 


Defaults 


: 0, 
Total active users 75% 
Total use 12 
a 9 
0 
ers pending activation 3 
Create User v 
|_| Username jodules First Name Last Name 


l Creste Manager User 


(2) Provide the necessary information for the user creation such as General Information, 
Locale, User Role, Asset Groups (optional), Permissions, Options, and Security. 


Ensure that you select at least Reader role for User Role. For all other options you can 
retain the default settings. 


(3) Click Save. 
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How do I grant a user permissions? 


You can define a role and then assign the defined role to the user. The role you define 
decides the permissions assigned to the user. You do this by editing the user's account. For 
example, to create a user with full access, you need to enable all the permissions in a role 
and assign the role to user. You can assign the role to assign full access to multiple users 
at one go. Learn more 


What happens after adding a new user? 


When you create a new user, the user appears on the user accounts list with a status of 
‘Pending Activation’. The user will automatically receive a registration email with a secure 
one-time-only link to the credentials for their new account and login instructions. The 
registration email is sent to the email address defined in the user's account. The user's 
status changes to ‘Active’ after logging in for the first time. 


Assign Role to Users 


Use the Administration utility (last option in the app picker) to view and manage users 
and grant access to CloudView application. On the User Management tab you'll see the 
apps each user has access to. Access is role based. 


Refer to the online help available in the Administration utility for detailed information. 


Tell me the steps 


In the Administration utility, go to Users > Role Management. This is where you create 
new roles and make changes to the permissions for existing roles. You can also quickly 
assign roles to users from here. 


Don't see this tab? You need to have 1) full permissions and scope, or 2) a role with the 
‘Access Role Management Section' permission enabled in the Administration utility. 
Tell me about various roles? 

You can configure two sub user roles: 

-Sub User with all privileges: We provide a predefined role named 'CLOUDVIEW user’. 


Assign the role to the required user and the user is granted full access in CloudView. Learn 
more 


-Sub user with Reader privileges: The user with Reader role can only view the data 
displayed in CloudView module. Click New Role. Give the role a name and description, and 
then select the modules and permissions to privileges be granted to a user when the role 
is assigned. Learn more 


How do | assign roles to users? 


Select the role you want to assign and choose 'Add To Users’ from the Quick Actions menu. 
Then tell us which users should be assigned the role and click Save. You can remove roles 
from users in a similar way - just select the action Remove From Users. 


How do | edit a role? 
Select any role in the list and choose Edit from the Quick Actions menu. 
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You can change the role name and description and edit the assigned permissions. Any 
changes you make to a role will apply to all users assigned that role. 


Warning - Be careful when removing the UI access permission from a role. A user 
will not be able to log into the UI if they don't have at least one role with the UI 
access permission assigned. 


Tell me about permissions 


When you're editing the permissions for a role, you'll notice that you can define 
application access, modules to be accessible, and permissions within the module for the 
users with the current role. 


Ensure that you have assigned CloudView module to be accessible for the users. Simply 
click the title of a group to expand its permissions. Then select the permissions you want 
to assign to the role. 


- All privileges: Sub User will have all the privileges in CloudView except creating and 
managing other users. For more information, refer to Sub User (All Privileges). 


- Reader privileges: Sub User with Reader role can only view the data displayed in 
CloudView module. For more information, refer to Sub User (Reader Privileges). 


Can | delete a role? 


Yes. Select the role and choose Delete from the Quick Actions menu. The role you delete 
will no longer be assigned to users. It is removed automatically from all users’ accounts 
(that had it previously assigned) and those users will no longer have the permissions 
granted by the role.Warning - Be careful when removing the UI access permission from a 
role. A user will not be able to log into the UI if they don't have at least one role with the UI 
access permission assigned. 


Note: If you edit permissions for a pre-defined role or delete a pre-defined role, 
the user associated with the roles you edit can experience difference in access 
behavior. 


Manage Access for Users (Grouping Connectors) 


You can control access for sub users with the usage of groups. The groups help you to 
organize your connectors and to manage user access to them. 


Groups 

You can apply groups to connectors and form connector groups or segregate connectors 
using a specific group for a connector as well. Use groups to provide access or restrict 
access to users you create. 

Assign Groups to Connector 


Let us see how to create connector groups and provide access to a particular connector for 
a user. 
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(1) Navigate to Configuration tab and then the Cloud Provider (AWS, Azure, or GCP) for 
which you would want to create connector group. 


If you have multiple accounts or multiple connectors, you can restrict access to a 
particular account or connector using groups. 


(2) Choose the connector for which you want to configure access and click Assign Group 
from the quick action menu. 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY 


REPORTS CONFIGURATION 
Configuration OCR Microsoft Azure MCT a Coreen Patt part 


Q Search... 


Azure_2 1767489-da0c-4948-a285.. Success 
< Quick Actions v Last Synced On September 30,2019 2:01 PM 
Azure_1 View Qde9e0a7-4f67-4812-917d-.. Regions Discovered 
Last Synced On September 30,2019 202 PM 
Run 


Delete 


Show Resources 


(3) Type a name for the group and click Create and then click Save. 


AssionG toc Click Create and the 
ssign Group to Connector group is created *"**» 
Begin typing to create a new group or select existing groups : 
P am. 4 
| Sample_Group| | (| Create ) 
d No result found 


Q 
Q 
. 
. 
. 
. 
. 
. 
. 
. 
. 


Type a group name till "No Result found" is 
displayed. 


Cancel Save 


To assign the groups to a sub user, you need to associate the group with the user. For more 
information, refer to Manage Access for Users. 
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Restrict User Access to all Connectors 


Note: By default, if no groups are assigned to a sub user, the sub user can access 
all connectors. To restrict access to all connectors, you need to create a group and 
not assign it to any connector but only to the user. 


(1) Navigate to Configuration tab and then the Cloud Provider for which you would want to 
create connector groups. 


(2) Choose any connector and click Assign Group from the quick action menu. 


(3) Type a name for the group and click Create. DO NOT click Save but click Cancel. 


Assign Group to Connector Ə Click Create 


Begin typing to create a new group or select existing groups 


empty_group 


Provide a name to the 
group 


© Click Cancel 


A group is created without assigning it to any connector. Assign this group to the users 
through Access Management tab. The user is restricted from accessing any account. 


To grant access to a connector in this case, you simply need to assign another group 
associated with a connector. 
Manage Access for Users 


The user with Manager role can assign access to sub users and decide which connectors 
are accessible to sub users. The Access Management tab lists all the sub users who can 
access the CloudView module. 


If you do not see any sub users, you can create sub users. To create new sub user, visit the 
Administration utility and create new users and assign role to each user. 


Assign Scope to a User 
(1) Navigate to Configuration > Access Management tab. 


The Access Management tab is available only to user with Manager role. The user with 
Manager role can manage access for sub-users. 
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(2) Select the user, and click Manage Access from quick action menu. 


< Access Details: quays_am56 


Access Details ® 
quays_am56 
Assign the connectors and regions to define the scope for quays_am56. a 
Groups User Details 
Manage the access based on groups ID 150271705 
Username quays_am56 
There are no Groups selected 
Email 
3 Modules: a a o gogogaga 
Role Details 
Connectors and Regions CLOUDVIEW U.:  cLoupviEWACCESS 
Manage the access for each cloud provider by assigning connectors or regions 
ULACCESS 
n i 
aws = Amazo Web Services 
w Manage AWS access by accounts and regions CLOUDVIEW.ULACCESS 


There are no Accounts or Regions selected 


There are two options you could configure access for sub users: 


- Using groups. 
To assign the groups to a sub user, you need to associate the group with the user. 


Manage access for groups 


Assign Group of connectors to the user to define what the user can manage 


Connector Groups 


sample_group Dy 


aoo 


Click Add Groups and select the group, and click Save to associate the group with the user. 
If a group is assigned to multiple connectors that belong to different Cloud Providers, the 
user can access all the connectors associated with the groups. 


- Using connectors 


When you define scope for a sub user, you could directly select the connectors for every 
Cloud Provider and associate it with the sub user. The sub user can then access all the 
connectors assigned to the sub user. 
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In the Connectors and Regions section, click the link for the specific Cloud Provider and 
then select the connector, and click Save. 


You can select multiple connectors from multiple cloud providers as well. For AWS, you 
can select connector and region as well. 


Manage access for AWS 


Assign Connector or Region to the user to define what the user can manage 


Mumbai 


| 
Cancel 
Btls 


Defining Scope for Existing Users 


Only users with manager role have permissions to grant permissions to existing users and 
modify their permissions. Let us view the high level steps. 


Manage Access for Users (Grouping Connectors) 
Manage Access for Users 


For more information refer to Role-based Access Management. 
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Sub User (All Privileges) 


We provide a predefined role (CLOUDVIEW User) that fulfills the full-access permissions. 
You need to simply assign the predefined role (CLOUDVIEW User) to the user to grant 
them full access in CloudView. 


The user with full access role can perform all the actions available to the user such as 
create connectors, manage policies, manage controls, and so on. 


Permissions: Only users with manager role can access Administration module and create 
sub-users. 


What can the Sub User with Full Access do? 
The user with full access role can 

- Manage Connectors 

- Manage controls and policies 

- Create and edit dashboards 

- Create and edit groups (connector groups) 

- Create sub users and assign groups 


Quick Steps 


(1) Create a Reader User: Navigate to Administration module > User Management > Create 
User > Create Reader User. 


Administration v 


Users Action Log 


ei User Management User Management Role Management Defaults 


Search for users by entering properties 


Users Breakdown All (12) Activity 
A 0, 
Total active users 75% 


Total users 12 


Create User w 


Create Reader User 


|_| Username 
i Creste Manager User 


lodules First Name Last Name 
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(2) In Administration utility, go to Role Management tab, and select CLOUDVIEW user and 
select Add to Users from the quick action menu. 


Administration v 


Users Action Log 


E User Management User Management Role Management 


Search for roles by entering properties. 


Total used roles 


Ey 
Total 
Used 
NECU a SA AA ie AA 
te 
| | Name * Description 
View 
E| contact 


E| CS User e 


Remove From Users 


Add Permissions 
El CvAdmin Remove Permissions 


p Delete 


Alternatively, you could also create a new role and assign two permissions: CLOUDVIEW 


UI Access and CLOUDVIEW API Access permissions to the role and assign the role to the 
required user. 


Role Creation Tum help tips: On|Of X% 
Step 2 of 3 Edit permissions for this role 
1 Role Details d 


Select how users would access this application 
aoe ~ UI Access API Access 
(2) Permissions v 


3 Review And Confirm 


Select modules which this role should have access. For each role you can define which permissions would be granted 


Modules Search for module and add to list 


{x 


Role Permissions by Modules (2) 


CloudView 


Y CLOUDVIEW Permissions (2 of 4) 


CLOUDVIEW API Readonly Access 


CLOUDVIEW Readonly Access 


 CLOUDVIEW UI Access 
 CLOUDVIEW API Access 
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Note: If all the four permissions are enabled, the read only permission overrides 
and sub user has only read privileges. For all privileges to be enabled, ensure that 
you enable only two permissions. 


(3) Select the required user from Users drop-down and click Save. You need to choose user 
whom you want to assign full access of CloudView. 


The new user is ready to use CloudView with full access capabilities! 
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Sub User (Reader Privileges) 


You can create a new user role “Reader” (read-only-access permissions) and assign it to 
sub-users. The user with Reader role can only view the data displayed in CloudView 
module. 


Permissions: Only users with access to Administration module can create sub-users with 
reader role. 


What can the Reader User do? 

The user with reader role can 

- View connectors 

- Monitor controls, policies and resources 

- Create and edit dashboards 

The user with reader role cannot create connector or evaluate controls, policies. 


Quick Steps 


(1) Create a Reader User: Navigate to Administration module > User Management > Create 
User > Create Reader User. 


Administration v 


Users Action Log 


rti User Management User Management Role Management Defaults 


Search for users by entering properties 


Users Breakdown: All (12) Activity 


Total active users 75% 
(E) 


Total users 12 
Users active 9 


Users inactive 0 


Create User w 


Create Reader User 
'odules First Name Last Name 


|_| Username 
| Creste Manager User 
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(2) Create a role in Administration utility and ensure that the role has UI access 
permission and CLOUDVIEW Readonly Access, CLOUDVIEW API Readonly Access enabled. 


| Role Creation Tum help tips: On| OF X% 
Step 2 of 3 Edit permissions for this role 
1 Role Details v Select how users would access this application 
(2) Permissions v 2i UI Access Z API Access 


3 ‘Review And Confirm 
Select modules which this role should have access. For each role you can define which permissions would be granted 


Modules Search for module and add to list ¥ 


Role Permissions by Modules (4) Remove Al 


Remove 
CloudView a 


¥ CLOUDVIEW Permissions (4 of 4) 


i CLOUDVIEW API Readonly Access 


i CLOUDVIEW Readonly Access 


i CLOUDVIEW UI Access 


 CLOUDVIEW API Access 


cae (res) ES 


(3) Assign the role to the newly created user. 


The new reader user is ready to use CloudView with monitoring capabilities! 
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Securing Cloud Resources 


Upon setting up your connector, it starts discovering the resources that are present in your 
cloud account. The resources inventory and the metadata of the resources is pushed to 
Qualys portal. You can navigate to the Resources tab to view the resources getting 
collected along with their details. 


Unified Dashboard 


Dashboards help you visualize your cloud resources, evaluation of your cloud resources, 
see your threat exposure, leverage saved searches, and fix resource misconfigurations 
quickly. 


We have integrated Unified Dashboard (UD) with CloudView. UD brings information from 
all Qualys applications into a single place for visualization. UD provides a powerful new 
dashboarding framework along with platform service that will be consumed and used by 
all other products to enhance the existing dashboard capabilities. 


You can use the default CloudView dashboard provided by Qualys or easily configure 
widgets to pull information from other modules/applications and add them to your 
dashboard. You can also add as many dashboards as you like to customize your 
CloudView view. 


Refer to the Unified Dashboard online help for more details. 


Resources Details 


The Resources tab displays the information about various resources collected. It helps you 
to identify the number of resources for each type and the number of resources that have 
one or more control failures. You can click on a row to view the number of resources of a 
specific type. You can click on an individual resource to view the details. For each resource 
you will view the following information. 
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Resources Summary 


The List View provides a summary of your resources, including the total resources and the 
number of failed resources for each resource type. 


CloudView » DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 205 
Q Search for resources discovered... Last24Hs v| = 
14 = 
Total Resource Types _ 
o Zen Fes in Feb 
ACCOUNT 1-140f 14 
qualys-dev(2057. 5.38K 
Instance m2 931 0 
RESOURCE TYPE bd 
IAM User 1.90K © vec Wee 124 116 
Security Group 1.36K 
EBS Volume 112K ae S 
Inmance ot e = 10 12 
Subnet 346 
VPC 
I Q Subnet 346 0 
REGIONS [| Security Group vee 1.36K 983 
N. Virginia 3.61K 
N. California 65 [E Route Table vpc 84 0 
Oregon 430 m - 
Ireland 310 @ Network Act vec 62 0 
Ohio 293 
13 more We S3 Bucket a 80 182 
© internet Gateway vec 94 0 
sfe Auto Scaling Group Ec2 9 0 
© __Load Balancer Ec2 40 0 
%  IAMUser ie 90K 1.89K 
@ EBS Volume C2 12K 1.10K 
I Lambda Function Lambda Function 50 53 


Let us consider an example of Instance (EC2 Instance) and Security Group resource type to 
view the resource details and information. 
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Instance Details 


Click Instance type to drill-down into your AWS EC2 instances. You could also use the 
filters in the left pane to narrow down resources per region or account. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 20m 
Pie yee eRe List View 
Instance v (Q _ Search for resources discovered... Last24Hrs v 
Total Instances 940 51 4 1 1 27 
Without Agents With Public IP Docker Hosts With Vulnerabilities 
ACCOUNT Resource.type: Instance @ v | instance | Vulnerability Group By:... V Y Filters v 1-50 of 941 
qualys-dev(2057 910 
qualys-dev-cv360 31 
REGIONS i-083554aa40bb18910 205767712438 N. Virginia Running February 28, 2020 mi 
2:13 PM 
N. Virginia 427 
N. California 181 i-04e3730ae74a1e8a6 205767712438 N. Virginia Running February 28, 2020 
Ireland 101 kgaurav-officialimage 2:13 PM 
Frankfurt 51 F 
P Fr i-01be558bac1953fb7 205767712438 N. Virginia Terminated February 28, 2020 
nchibisov-scanner-old 2:13 PM 
13 more 
i-04877877e40241ef5 205767712438 N. Virginia Running February 28, 2020 
2:13 PM 
i-03a20c8c9466ace6f 205767712438 N. Virginia Terminated February 28, 2020 
2:13 PM 
i-0ca9420992562f618 205767712438 N. California Running February 28, 2020 
tbabar_EU1 2:13 PM 
- 


Then click on any EC2 Instance ID to see the number of detected vulnerabilities, resource 
associations, location and network information. You can also perform actions on 
instances such as stop instance or remove IAM profile. These actions are supported only if 
you have enabled remediation for the connector associated with the instances. For more 
information, refer to Actions for Cloud Resources (AWS). 


Vulnerability Details for Instances 


We show vulnerability details for instance type of resources in CloudView. The details 
include resource inventory, security details, compliance details, and sensor details. 


Few points to note for the resource details to be visible: 


(an 


- The details are displayed for only Instance type of resources. 


AWS: Instance, Azure: Virtual Machine, GCP: VM Instances 


(an 


- The resource (asset) must also be detected during Qualys scan or must have Qualys 
Cloud Agent installed on it. The resource (asset) must be available in Qualys Cloud 
Platform (AssetView). 


- If the resource has Qualys Cloud Agent installed, the Agent Summary section displays 
corresponding details. 
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Resources Details 


Go to Resources and then select the Cloud Provider (AWS, Azure, or Google Cloud 
Platform). Now, select the resource of instance type and click the resource. The Resource 
Details page displays the enhanced details. 


| < Resource Details: i-Ofd5ad25d4aef1161 


v CLOUD METADATA 
Summary 
Network Interfaces 
Associations 


Tags 


Y INVENTORY 
Asset Summary 
System Information 
Network Information 


Open Ports 
Installed Software 


Y SECURITY 


Vulnerabilities 


v COMPLIANCE 


File Integrity Monitoring 


Policy Compliance 


Y SENSORS 


Agent Summary 


General: 
Summary 
Instance Name: 
Instance ID: 
LJ i-OfdSad25d4aef1161 
Instance Type: 
First Discovered On: September 5, 2019 11:38 AM 
Mataio First Discovered On: 
Instance Status: 
Vulnerabilities Associations oS 
1 Security Group 1 setae 
Image (AMI) ID: 
100% Potential: 1 Auto Scaling Group 0 9 
0% Confirmed: 0 Last Updated On: 
ee Load Balancer 0 G 
M 
Location: 
Account ID: 
Region: 


Enhanced Information for 


| Resource that also exists in 


Qualys Cloud Platform 


Availability Zone: 


Network: 
VPC ID: 
Subnet ID: 
DNS (Private): 
DNS (Public): 


IP Address (Public) 


EC2_Plus_Agent1_quays_bl43 
i-0fd5ad25d4aef1161 
t2.micro 


‘September 5, 2019 11:38 AM 


running 


ami-Ocfee17793b08a293 


September 10, 2019 2:18 PM 


383031258652 
N. Virginia (us-east-1) 


us-east-Ib 


vpc-ceacefb7 
‘subnet-b355259f 
ip-172-31-85-154.ec2. internal 
C2-52-55-244-224.compute-1.amz 


52.55.244.224 


IP Address (Private): 172.31.85.154 


Note: If the resource does not exist in Qualys Cloud Platform, the View Mode is displayed 
for the resource. 


< Resource Details: i-Obfab06114a91e901 


View Mode 


Summary 
Network Interfaces 
Associations 


Tags 


General: 
Summary 
Instance Name: 
Instance ID: 
® i-Obfab06114a91e901 
Instance Type 
First Discovered On: jember 10, 2019 9:10 AM 
Instance Sot First Discovered On: 
Instance Status: 
Associations State: 
Security Group 1 Spon anae 
i; 
Auto Scaling Group 0 imege (AM ID 
Last Updated On: 
Load Balancer 0 


Location: 
Account ID: 
Region: 


Availability Zone: 


Network: 
VPC ID: 
Subnet ID 


DNS (Private): 
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Test-scan-4 
i-Obfab06114a91e901 
t2.medium 


September 10,2019 9:10 AM 


running 


ami-0c5668e751b18e85a 


September 10, 2019 1:38 PM 


205767712438 
Canada Central (ca-central-1) 


ca-central-1b 


vpc-2f638f46 
subnet-b2929eca 


ip-172-31-14-85.ca-central-1.compt 


Securing Cloud Resources 
Resources Details 


Click on the Vulnerabilities count to get information about detected vulnerabilities. 


The vulnerability related data is populated only if you are using a scanner 
appliance or Cloud Agent. 


@ Qualys. Enterprise 


< Resource Details: i-063816f27d5a8571c 


emp Vulnerabilities 

Leela VULNERABILITIES BY SEVERITY (SELECT THE SEVERITY YOU WOULD LIKE TO REVIEW BY) 

Tags 

Sev5 v Seva v Sev3 v Sev2 v Sev1 v View (17) 
Vulnerabilites 
CONFIRMED VULNERABILITIES (12) POTENTIAL VULNERABILITIES (5) 
B Severity5 0 @ Severity 0 
@ Severity4 0 @ Severity4 0 
@ Severity3 12 @ Severity3 § 
E Severity2 0 ® Severity2 0 
@ Severity 0 m Severity? 0 
, 


VULNERABILITY DETECTIONS 


v 


DETECTIONS BY STATUS Last Month 


Confirmed 0 Confirmed 0 Confirmed 0 Confirmed 0 
Potential 0 Potential 0 Potential 0 Potential 0 
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Resources Details 


Drill down to Vulnerability Details for Instances (only for AWS) 


We provide you with multiple meta data filters to narrow down your search for 
vulnerability details. Using the new filters, you can get a complete view of vulnerability 
posture from an asset and vulnerability point of view. 


Under Resources tab, select the Instance type of resource (AWS). Choose Instance resource 
type from the Resource drop-down. 


The Resource Type drop-down is available to quickly view resource inventory of different 
types of resources. You can use the various metadata filters, group by options and custom 
query capabilities to find what you are interested in. 


Note: The vulnerability data is available only for Instance type of resource (AWS 
cloud provider) and only after the Instances have been scanned. 


Amazon Web Services v List View 


Instance instance.state:running Last24Hrs v 
iF Vulnerability vulnerability. typeDetected:Potential 
Total Instances 
Without Agents 0 2) With Public IP © © Docker Hosts (5) With Vulnerabilities 
NO REMAINING FILTERS Resource.type: Instance @ v ka Vulnerability Group By:... v | | Y Filters v 1-50 of 77 

i-Of1b19afb6b5feS5f N. Virginia Running February 20, 2020 —— e 
1:20 AM 

i-0a2c3f798407f461a N. Virginia Running February 3, 2020 = | 
12:23 PM 

i-Ocee47c1c2f94cccf N. Virginia Running February 3, 2020 ees 
12:23 PM 

i-0715c8d71defSebdc N. Virginia Running February 3, 2020 m 
12:23 PM 

i-0d537b2aa9ebe239b N. Virginia Running February 3, 2020 æ oO 
12:23 PM ~ 


1 - Indicates the type of resource 

2 - Click to view instances in your inventory 

3 - Click to view vulnerabilities that affect the instances in your cloud environment 
4 - Various group-by filters to narrow down your search 

5 - Filters for Type of vulnerabilities 


Using the various filters, you can drill down to view vulnerabilities that exists on 
instances. The search tokens give you further flexibility to narrow down your search 
results. 
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Securing Cloud Resources 
Resources Details 


You could view more details about a security group resource. Go to Resources > Security 
Group, and then click the security group ID to view additional details about it. 


< Resource Details: sg-937731e1 


39-937731e1 
webserver-security-group 
vpe-e1e73d99 


webserver-security-group 


First Discovered On; December 12, 2017 5:30 AM 


General: 
Basic Information Summa ry 
Rules Group ID: 
ee { | sg-937731e1 mane 
Tags Security Group First Discovered On: Dec 12, 2017 VPC ID: 
Description: 
Controls Evaluated 
Inbound Rules Outbound Rules 
5 1 Location: 
Account ID 
Region: 


Controls Evaluated 


2 


Controls Failed: 


View Security Group Associations 


Associations 
Instance 2 
Load Balancer 0 
Reference Security Groups 0 


383031258652 


N. Virginia (us-east-1) 


You can view various details about the associations such as the ID, region, state and so on. 


© Qualys. Enterprise 


< Resource Details: sg-65d94f1b 
| 


Associations 


Rules | 
Instances 
Associations 


ELB Reference Security Groups 
1-20f2 
INSTANCE IL i RST DISCOVERED DA VULNERABILITIES 
i-0b44d322604d55cfe Oregon Apr 14, 2018 terminated 17 
Sales_A2 == 
i-063816f27d5a8571c Oregon Apr 14, 2018 terminated 17 
Sales_Al SSS 
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Resources Details 


View Controls Evaluated 


You can view the controls that are evaluated for the resource and if the controls have 
passed or failed. 


< Resource Details: sg-937731e1 


Bie ifort Controls Evaluated 
Rules 
1-2o0f 2 
Associations 
cID CONTROL CRITICALITY RESULT 
Tags 
F F FAIL 
Sa Ea 4 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 ECE [a 
42 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 ECH AR. 
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Resources Misconfigurations 


CloudView compares controls from the out-of-the-box policies that define the desired 
configuration of a resource against the current configuration of the resource. If it finds a 
difference, then it marks the resource as failed for that particular control. Each control is 
evaluated against the applicable resources. If all the applicable resources are configured 
as per the desired configuration of the control, then the control is marked as Pass. If at 
least one of the applicable controls doesn’t comply with the control, then it is marked as 
failed. The Monitor tab will display all such misconfigurations. 


Controls Evaluation View 


CloudView ~ HOME DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION aom 


Monitor 


Amazon Web Services 7 = am 
Q @  Last30Days v| = 


TOTAL EVALUATIONS FAILURES BY CRITICALITY O REMEDIABLE 


4 
209 ° © 
15. 
Toi Conroe bakma e =A © i> “o | | || @ 205 O 


Failed Evaluations 


Let us see what each number signifies 


1 - Total number of controls that are evaluated. 


2 - Total number of evaluations. A unique combination of resource and control is 
treated as one evaluation. 

3 - Number of evaluations that Passed. The Pass count includes control evaluations 
that are passed as well as passed with exception. 

4 - Number of evaluations that Failed 

5 - Number of failed evaluations with high criticality 

6 - Number of failed evaluations with medium criticality 


7 - Number of failed evaluations with low criticality 


8 - Number of failed evaluations that can be remediated. Click to view the controls with 
failed evaluations that are remediable. For more information on remediating cloud 
misconfigurations, see Remediating Cloud Resources. 


Note: When you change criticality of a control, the revised control criticality for existing 
evaluations is effective upon next connector run. 


Each control is evaluated against the applicable resources which is represented by Total 
Resources. Number represented by green represents the number of pass resources that 
have the desired configuration as per the control. Number represented by red represents 
the number of failed resources. 


Click any control to get details of all the resources evaluated against the control. 
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Control Evaluation Details 


Control details screen shows the number of resources evaluated against the control. For 
each resource it shows Unique Resource ID, Account ID, Region, etc. You can use the 
search filter to view pass/failed resources. 


€ Control Evaluation: S3 Bucket Access Control List Grant Access to Ev. 


CID-45 S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users View Less 4 
Policy AWS Best Practices Platform: AWS: 
Evaluation ist allows read or » anan Service s3 
Authenticated Users i 
Remediation View Steps Critcalty Im 
Q 
1-2012 

RESOURCE ACCOUNT ID EVALUATED ON RESULT 

webdocsbkt 619664856109 36 minutes ago u E 

cf-templates-t3vsk13r99rh-us-east-1 619664856109 36 minutes ago =a Ev 


Resource Evidence 


To get more details on why a resource failed, click the Evidence link to see actual values 
for the resource attributes. 


& Control Evaluation: Ensure versioning is enabled for S3 buckets 


CID-48 Ensure versioning is enabled for S3 buckets View Less a 

Policy: AWS Best Practices Policy Platform: AWS 

Evaluation: Control checks whether the versioning is enabled on S3 buckets. Service: s3 

Remediation: View Steps Criticality: 

x Last90Days Y 

1-1o0f1 
RESOURCE ACCOUNT ID EVALUATED ON RESULT 
383031258652 14 minutes ago Evidence 
EVIDENCE DETAILS REMEDIATION STEPS View in AWS Console 


Evaluation Summary 


Last Reopened: December 17, 2018 12:41 PM 


First Evaluated: December 15, 2018 9:35 PM 


Last Fixed: 


Last Evaluated: December 17, 2018 12:43 PM 


December 17, 2018 3:01 PM 


Evaluation Criteria 


Versioning Status Enabled 


The Evaluation Summary tells you the following facts as well: 
-First Evaluated: The date when the control was evaluated for the first time. 


-Last Evaluated: The latest date when the control was evaluated. 
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-Last Reopened: The latest date when the control evaluation result is changed from pass 
to fail. 


-Last Fixed: The latest date when the control evaluation control result is changed from fail 
to pass. 


View Remediation Steps 
Click the Remediation Steps tab to learn the steps needed to fix the failure. 


€ Control Evaluation: S3 Bucket Access Control List Grant Access to Ev 


CID-45 S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users View Less 
Policy AWS Best Practices Policy Platform AWS 
Corlan Control checks whether bucket access control list allows read or write access to Everyone or AWS E 3 
a Authenticated Users 
Remediation View Steps Critcality EEE 
Q 
1-20f 2 
RESOURCE ACCOUNT ID EVALUATED ON RESULT 
webdocsbkt 619664856109 41 minutes ago Eviden 
EVIDENCE DETAILS REMEDIATION STEPS View in AWS Console 
Perform the following. 
1. Sign in to the aws management console and open the amazon $3 console at htt; onsole gws.ammazon.com/s2. 


2 Select the bucket and click Permissions. 
2. In the permissions pane, navigate to Public Access section, 
4 The section shows a list of permissions assigned to everyone Uncheck ali the permissions granted to everyone. 
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View Control Evaluation Results per Account 
Quickly view how many controls are passed/failed by clicking the account filter. 


CloudView * DASHBOARD RESOURCES MONITOR POLICIES REPORTS CONFIGURATION A Om 


Qs 


EVALUATIONS ‘SECURITY POSTURE FAILURES BY CRITICALITY 
Total Controls Evaluated 3 OAK 1 72K 2 22K 1 52K 700 0 

Total Evaluations Pass Fail High Medium Low 
POLICY 1-48 of 48 w 
ce aan Sed cw CONTROL NAME CRITICALITY SERVICE SECURITY POSTURE 
pais aaa i coN i PRITICAL nc RITY POSTURE 

1 Ensure multi-factor authentication (MFA) is enabled for all IAM users that.. EEEN IaM 8 7 = 
CONTROL RESULT Policy : CIS Amazon Web Services Foundations Benchmark eee 
FAIL 45 
PASS 3 2 Ensure console credentials unused for 90 days or greater are disabled EZE IAM 12 73 
Policy : CIS Amazon Web Services Foundations Benchmark opg 

ACCOUNT 
ent 3 Ensure access keys unused for 90 days or greater are disabled EEN 1AM 307 251 

CloudView © DASHBOARD RESOURCES MONITOR POLICIES CONFIGURATION ‘Komall Ambastha (quays2ka77) ¥ 


383031258652 


SERVICES 


CloudTrail 


l X account. id: 383031258652” 


EVALUATIONS ‘SECURITY POSTURE FAILURES BY CRITICALITY 


Total Controls Evaluated 885 | 425 460 318 


Total Evaluations High 


142 0 
Low 


Medium 


POLICY 1-48 of 48 
CIS Amazon Web... 44 


CONTROL NAME CRITICALITY SERVICE SECURITY POSTURE 


AWS Best Practic... 4 
Ensure multi-factor authentication (MFA) is enabled for all IAM users that.. BEEN IAM 7 18 
CONTROL RESULT Policy: CIS Amazon Web Services Foundations Benchmark lonmen 
FAIL 41 
PASS 7 2 Ensure console credentials unused for 90 days or greater are disabled IAM 6 19 
Policy : CIS Amazon Web Services Foundations Benchmark Sy 
SERVICES 
3 Ensure access keys unused for 90 days or greater are disabled EZE IAM 48 29 
CloudTrail 20 ee 


Policy : CIS Amazon Web Services Foundations Benchmark 


IAM 19 
s3 
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Search Using Resource Parameter Information 


You can search for all resources that match with the parameter information of a 
resource.For example, if you have a resource with certain specific parameter such as an 
AWS instance with specific VPC. You could search for all resources that belong to the same 


VPC ID and resource type. 


Go to Resources, select Instance resource type and click on the EC2 Instance ID to view the 
details of the resource. All the searchable parameter information for that resource type is 


displayed with links on the right side. 
< Resource Details: i-0702c4b97e8a0b26a 


View Mode 


General: 


Summary 


instance Name: 


Summary 
Instance ID 


Instance 


i-O702c4b97e8a0b26a 


First Discovered On: December 6, 2019 4:39 AM 


Network Interfaces 
Instance Type: 


Associations 
First Discovered On: 


Tags 
Instance Status: 


Associations State: 


Security Group Spot Instance: 


i MI) | 
Auto Scaling Group Image (AMI) ID: 


Last Updated On: 
Load Balancer 


Location: 
Account ID: 
Region: 


Availability Zone: 


Click to view all AWS 
instances that 
belong to the VPC ID 


LETTET 
Taiana 
"a 
"a 
. 
"a 


Network: 


Subnet ID; 


udaya-cloudview-test-pod01 
i-0702c4b97e8a0b26a 
t2.micro 


December 6, 2019 4:39 AM 


running 


ami-00068cd7555f543d5 


December 6, 2019 8:41 AM 


205767712438 
N. Virginia (us-east-1) 


us-east-le 


. 
` 
VPC ID: vpc-1e37cd76 


subnet-5a756071 


Click the link to automatically form the search query based on the VPC ID and view the 


search results. 


DASHBOARD MONITOR POLICY REPORTS CONFIGURATION 


CloudView ~ RESOURCES 


rL AU E List View 


Instance v 


>< (Ĝnstance.vpcId:vpc-98a11ffd| 


Last 24 Hrs 


10) 


Total Instances 


30 


Without Agents 


IS 


With Public IP 


Resource.type: Instance @ v 


NO REMAINING FILTERS 


Instance Vulnerability Group By:... ¥ | VY Filters v 


H 


i-0b16634c71a321150 


205767712438 Tokyo Stopped February 27, 2020 
Amzn Linux 2018 4 6:09 PM 
i-0032f9434ee0da2be 205767712438 Tokyo Running February 26, 2020 
Amzn Linux 2018 211 1:59 PM 
i-07830c3308dfbb9e1 205767712438 Tokyo Running February 20, 2020 
amazon linux 2018 1:20 PM 
i-0821037b94aadab22 205767712438 Tokyo Stopped February 14, 2020 


With Vulnerabilities 


1-30 of 30 
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Search Policy Controls 


Find all about your policies and control evaluations and get up to date information quickly 
using Qualys Advanced Search. 


Go to Monitor tab. You'll notice a Search field above the controls list (you can also search 
on other tabs). This is where you'll enter your search query. 


Amazon Web Service v 


‘SECURITY POSTURE FAILURES BY CRITICALITY 


741 


High 


48 EVALUATIONS 
Total Controls Evaluated 1.12K 96 989 


Total Evaluations Fail 


282 0 


Medium 


Start typing and we'll show you the properties you can search such as account ID, control 
criticality, control result, etc. Select the one you're interested in. 


Amazon Web Service w 


x col ~ Perr Start typing here 


4 account.id 
8 ori op 


control.criticality control.description 
Total Controls Evaluated ae Use quotes or backticks with 
description. 
control.name 
Examples 
- control.result Show controls with this desc 


POLICY 


CIS Amazon Web... 44 | 
AWS Rect Practice a 


control.description: n 


Show controls that contain p 
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Now enter the value you want to match, and press Enter. You can also choose a date 
range. That's it! Your matches will appear in the list. 


|  control.criticality:HIGH <#====#=» Enter value to search 


3 8 EVALUATIONS SECURITY POSTURE FAILURES BY CRITICALITY 


Total Controls Evaluated 3.08K 991 2.09K 2.09K 0 


Total Evaluations Pass Fail High Me 
View your matches weeer.. 
POLICY y ", 
CIS Amazon Web... 34 TRAN NALE 7 PITIPAIIT SERVI 
AWS Best Practic... 4 AR ‘ ee ne 
1 Ensure multi-factor authentication (MFA) is enabled for all IAM users that... IAM 
CONTROL RESULT Policy : CIS Amazon Web Services Foundations Benchmark 
FAIL 30 
PASS 8 2 Ensure console credentials unused for 90 days or greater are disabled HIGH IAM 
Policy : CIS Amazon Web Services Foundations Benchmark 
ACCOUNT 
3 Ensure access keys unused for 90 days or greater are disabled IAM 
205767712438 37 
Policy : CIS Amazon Web Services Foundations Benchmark 
619664856109 37 


You'll notice a Search field and this is where you'll enter your search query. 


< Control Evaluation: Ensure IAM policies are attached only to groups o... 


CID-17 Ensure IAM policies are attached only to groups or roles View Less @ 
Policy: CIS Amazon Web Services Foundations Benchmark Platform: AWS 
Evaluation: Check IAM policies are not attached directly to users. Service: IAM 


Remediation: View Steps wee Click to view the Criticality: 
tees anne 


Remediation Steps 


Q 
— Click to view dö 
details 
RESOURC ACCOUNT IL JATED ON ESULT 
P — I = 
CIS_AWS_aparna 383031258652 7 hours ago 
am:aws:iam::383031258652:user/CIS_AWS_aparna 


undef441286 383031258652 7 hours ago Evidence 
am:aws:iam::383031258652:user/undef441286 


undef516221 383031258652 7 hours ago Evidence 
am:aws:iam:383031258652:user/undef516221 


qualys-cloudview-user 383031258652 7 hours ago Evidence 
am:aws:iam::383031258652:user/qualys-cloudvie. 


spillalamarri2 383031258652 7 hours ago Evidence 
am:aws:iam::383031258652:user/spillalamarri2 


srv01 383031258652 7 hours ago Evidence 
am:aws:iam::383031258652:user/srv01 
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Start typing and we'll show you the properties you can search such as cid, control.name, 
and so on. Select the one you're interested in. 


< Control Evaluation: Ensure multi-factor authentication (MFA) is enable... 


ViewLess & 


CID-1 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password 


Policy: CIS Amazon Web Services Foundations Benchmark Platform AWS 
Evaluation: Check IAM Users having console password enabled has MFA Set to True. Service IAM 
Remediation: View Steps Criticality: EEN 


Quick help related 
to properties — 


Type your query here 


ty I Syntax Help 
account.id 


control.criticality Use a text value ##### to show resources based on the unique account ID associated with the 


connector/ARN at the time of creation. 
control.description 


Example 
Show findings with this account ID 


control.evaluatedon 


control.name account.id: 205767712438 
control.result 


You could perform various actions on the controls such as re-evaluate the control, create 
exception for a failed resource, and so on. Select the control and click Actions or the quick 
actions menu. See Exceptions to know more about exception. 


Q Search for evaluations... Last24Hrs v 


View Resource Details 


Re-evaluate 7 


iy] an hour ago Evidence 
Show other control failures for this resource 


Show all failures for this account 


Create Exception an hour ago FAIL Evidence 


76 


Securing Cloud Resources 
IaC Posture 


To know what led the control to pass or fail, click Evidence. The Evidence details will tell 
you the reason that led the control to pass or fail. 


= Actions (1) v 1-2o0of 2 


m 38 38 7 hours ago FAIL Evidence 


EVIDENCE DETAILS REMEDIATION STEPS View in AWS Console 
AWS config is not enabled in all regions. Evidence F 


April 6, 2018 7:34 AM ““ ee 


Already signed in account 38: 


Config enabled in all regions False 
Eu-west-3 Disabled Sign in to account 380 
Ap-south-1 Enabled 


laC Posture 


The IaC posture sub-tab under Monitor tab provides your compliance posture of resources 
residing in your Infrastructure as Code (IaC) templates. 


Note: The IaC evaluations are displayed for scans initiated from Git integrations. For more 
information on Git integrations, refer to the Secure IaC section in CloudView User Guide. 


Click any control to get details of all the resources evaluated against the control. 


Search Policy Controls 


Find all about your policies and control evaluations and quickly get up-to-date 
information using Qualys Advanced Search. 


Go to Monitor > IaC Posture tab. You'll notice a Search bar above the controls list (you can 
also search on other tabs). This is where you can enter your search query. 


CloudView v HOME DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION A © m 
Monitor CIs 12C Posture 
Amazon Web Services 7 e 
(i @  Last30Days v | = 
17 1-170f 17 w è & 


Total Controls Evaluated co CONTROL NAME CRITICALITY SERVICE SECURITY POSTURE 


r 


Ensure that Public Accessibility is set to No for Database Instances ü 1 
High RDS = 
Policy : AWS Infrastructure as Code Security Best Practices Policy Total Benita A 


CONTROL RESULT 
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Start typing and we'll show you the properties you can search such as account ID, control 
criticality, control result, etc. Select the one you're interested in. 


CloudView v HOME DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION a 


Monitor OET GEETE aC Posture 


Amazon Web Services 7 
X co —— Start typing here @) | Last30Days v 
control.criticality a 
Syntax Help View All Tokens 
1 7 control.name control.criticality 
control.result Select the contol criticality (HIGH, MEDIUM, LOW) you're interested in. 
Total Controls Evaluated aaa 


‘Show controls with High criticality 


"A control.criticality: HIGH 


CONTROL RESULT 
FAIL n 


Now enter the value you want to match, and press Enter. You can also choose a date 
range. That's it! Your matches will appear in the list. 


CloudView v HOME DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION s OB 


Monitor COTIA iac Posture 


Amazon Web Services 


X control.criticality:HIGH |< 


Enter value to search Last30Days v| = 


3 1-808 IO ht & 
8 View your matches _ 
=--.8 
Total Controls Evaluated cw CONTROL NAME bá ` CRITICALITY SERVICE SECURITY POSTURE 
r 
a ~ 
Ensure that Public Accessibility is set to No for Database Instances Pan 1 
High 
CONTROL RESULT T Policy : AWS Infrastructure as Code Security Best Practices Policy a“ Eo Ws -e 
FAIL 4 
PASS 4 Ensure DynamoDB tables are encrypted using KMS Customer managed Keys 2 
169 R i Eo DynamoDB — 
Policy : AWS Infrastructure as Code Security Best Practices Policy Teral Rescurnee:? 
SOURCE 
GitHub 5 Ensure that ALB using listener type HTTP must be redirected to HTTPS 1 
High —<—< 
Bamboo 2 w Policy : AWS Infrastructure as Code Security Best Practices Policy E o Ba Teini Rescaeser 1 
Bitbucket 1 
Ensure no hard coded AWS access key and secret key exists in provider 2 
SERVICES 299 E Ho 1AM Å 
Policy : AWS Infrastructure as Code Security Best Practices Policy Tomi yanar? 
EC2 3 
ka f Ensure that ALB drops HTTP head 
ae ; sey nsure that rops eaders B ro E 1 
AWS Backup 1 Policy : AWS Infrastructure as Code Security Best Practices Policy Total Resources: 1 
DynamoDB 1 
Ensure Backup Vault is encrypted at rest using KMS CMK 1 
380 k 5 [ Ec AWS Backup 
Policy : AWS Infrastructure as Code Security Best Practices Policy Taasan 
€ Control Evaluation: Ensi hat Public Accessibility is set to No for Database Instances 
CID-51 Ensure that Public Accessibility is set to No for Database Instances View Less A 
Policy: AWS Infrastructure as Code Security Best Practices Policy Platform: AWS 
Evaluation: Checks the Public Accessibility for database instances Service: RDS 
erin Click to view Remediation Steps ee ee 
Remediation: ad Criticality: igi 
Neer 
X  control.criticality:HIGH © Last 30 Days v 
O | Actions) v 1-10f1 OO ob © & 
RESOURCE TYPE ‘SOURCE REPOSITORY RESULT EVALUATED ON 
default Y o 6 days ago 
abe 


? 


Click to view details --- 
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You'll notice a Search field and this is where you'll enter your search query. Start typing 
and we'll show you the properties you can search such as cid, control.name, and so on. 


Select the one you're interested in. 


<* Control Evaluation: Ensure that Public Accessibility is set to No for Database Instances 


CID-51 Ensure that Public Accessibility is set to No for Database Instances 


Policy: 


AWS Infrastructure as Code Security Best Practices Policy Platform: AWS 
Evaluation: Checks the Public Accessibility for database instances Service: RDS 
Type your search 
X c + nnns Paai query here © Last 30 Days Vv 
cid os 


View Less 


control.criticality 


control.name 
control.result 
git.branch 
iac.scan.id 


iac.scan.name 


Syntax Help 
contiol.criticality 


Select the control criticality (HIGH, MEDIUM, LOW) you're interested in 


Example 
Show controls with High criticality 


control.criticality: HIGH 


View All Tokens 


4 


You could also view other failed control for the same resource. Select the control and click 
Actions or the guick actions menu. 


€ Control Evaluation: Ensure that Public Accessibility is set to No for Database Instances 


CID-51 Ensure that Public Accessibility is set to No for Database Instances 


Policy: 


Evaluation: 


Manual 
Remediation: 


AWS infrastructure as Code Security Best Practices Policy 
Checks the Public Accessibility for database instances 


View Steps 


Platform: 


Service: 


Criticality: 


AWS 
RDS 


BB High 


View Less A 


X  control.criticality:HIGH 


@| Last30Days v 
T 1-101 D cs OG & 


‘Show other contro! failures for this resource 


REPOSITORY 


RESULT EVALUATED ON 


The Result column indicates the evaluation result of the resource against the control. 


< Control Evaluation: Ensure that Public Accessibility is set to No for Database Instances 


CID-51 Ensure that Public Accessibility is set to No for Database Instances 


Policy: 


Evaluation: 


Manual 
Remediation: 


RESOURCE 


default 


AWS Infrastructure as Code Security Best Practices Policy 


Checks the Public Accessibility for database instances 


View Steps 


TYPE 


Y 


Platform: 
Service: 


Criticality: 


SOURCE 
9 


REPOSITORY 


E o 


1-1f1 OO LÈ 


RESULT EVALUATED ON 


8 days ago 


View Less â 


Last 30 Days VY 


‘Os 


Evidence 


Depending on the evaluation result, the Result column displays one of the following 


values: 


- Fail: Indicates the resource failed the control evaluation. 
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- Pass: Indicates the resource has passed the control evaluation. 


- Skip: Indicates the resource skipped the control evaluation. To know more about how to 
skip control evaluation for resources, see Exceptions. 


To know what led the control to pass or fail, click Evidence. The Evidence details will tell 
you the reason that led the control to pass or fail or skip. 


< Control Evaluation: Ensure that Public Accessibility is set to No for Database Instances 


CID-51 Ensure that Public Accessibility is set to No for Database Instances 


View Le! 


Policy: AWS Infrastructure as Code Security Best Practices Policy 


Platform: AWS 
Evaluation Checks the Public Accessibility for database instances Service: RDS 
Manual 
iew Steps Critical High 
Remediation: Criicaliy: B Hon 
X control.criticality:HIGH @ | Last30 Days 
a o n DG Le 
RESOURCE TPE SOURCE REPOSITORY RESULT EVALUATED ON 
a s a m n (E) 
as. 
gauepeeeeeee 
oot” 
Evaluation Summary oe? 
. 
. . i A 
First Evaluated Last Evaluated ae? Click Evidence to view 
December 28, 2021 10:24 AM December 28, 2021 10:24 AM x . the details of 
File Details 


evaluation result. 


File Path Scan ID Scan Name 


/aws_db_instance_pass.tf AWS 


Code Block 


1 resource “aws_db_instence” "default" { 
allocated_storage 


Foo! 
“foobarbaz” 


password = 


Exceptions 


You may want to create exceptions to exempt certain cloud resources from a particular 


control or temporarily change the status of a resource for a particular control from Failed 
to PassE (Pass with Exception). 


For example, it may be the policy in an organization that a particular cloud resource is 
not allowed on any server or port. However, there could be a business need for the 
organization to provide an exception for one or more resources on a temporary basis. This 


may be required to support a custom application or other business need. You could use 
exceptions in such scenarios. 


Create Exception 


Here are quick steps to create an exception. 
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1. Go to Monitor tab. You'll notice a Search field above the controls list. Enter your search 
query for failed evaluations and click the required control in the search results to view the 
control evaluations. 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 20” 
Amazon Web Servi... v 
> resource. result: FAIL (2) Last90 Days v| = 
9 le) TOTAL EVALUATIONS FAILURES BY CRITICALITY 
a i 570 
W PAss......0 
@ FAL....570 
‘HIGH MEDIUM Low 
POLICY 1-99 of 99 w 
CIS Amazon Web.. 
INTROL NAN y SERV ECURITY POSTL 
AWS Best Practic. 27 i : 
— 
AWS Database S... 24 Policy : AWS Best Practices Policy Total Resources: 2 = 
AWS Lambda Be. 7 
mypolicy 1 9 Ensure IAM password policy require at least one symbol IAM 2 fl 
sate Policy: AIS Best Practices Policy a7 
CONTROL RESULT 10 Ensure IAM password policy require at least one number IAM 2 
Policy : AWS Best Practices Policy SRO 
FAIL 93 As) 
rass “ Ensure IAM password policy requires minimum length of 14 or greater ECE IAM 2 
— 
Policy : CIS Amazon Web Services Foundations Benchmark marps 
ACCOUNT 
92 12 Ensure IAM password policy prevents password reuse 1AM 2 
— 
38 Policy : CIS Amazon Web Services Foundations Benchmark = 
SERVICES 13 Ensure IAM password policy expires passwords within 90 days or less IAM 2 
Policy : AWS Best Practices Policy rper 
RDS 24 


2. Select the failed resource for which you want to create an exception and click Create 
Exception from the quick actions menu. 


<— Control Evaluation: Ensure IAM password policy prevents password reuse 


CID-12 Ensure IAM password policy prevents password reuse View Less A 


Policy: CIS Amazon Web Services Foundations Benchmark Platform: AWS 


Evaluation: Check “Number of passwords to remember" is set to 24 Service: IAM 


Manual Pen S 7 
Remediation: Criticality: HIGH 


Q Search for evaluations... ? Last 90 Days v 


=] Actions (1) v 


63 13 days ago Evidence 


7 = 13 days ago FA Evidence 


Quick Actions 


Re-evaluate 


Create Exception 


Show other control failures for this resource 


Show all failures for this account 


Note: The Create Exception option is available in the quick action menu only for resources 
with failed control evaluations (FAIL). 


3. The Exception wizard is displayed. Provide the following details for the exception: 
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- Basis details such as name for the exception, reason to create the exception, an 
explanation, start and end date for the exception. Optionally, you could also provide the 
information regarding the security policy and procedure for which the exception is being 


created. 


< Create Exception 


STEPS 1/4 


o Basic Details 
2. Scope Information 
3 Select Controls 


4 Review Exception 


Basic Details 
Provide the basic details for exception creation. 


Exception Name * 
Sample Exception 
Reason * 


@ False Positive ( ) Risk Accepted () Other 


Explanation * 


Sample explanation 


2 


Exception Start Date * 


06/30/2021 


232/250 characters remaining 


Information Security Policy 


Please provide additional expla 


for tracking purpose 


Information Security Procedure 


[ conce | 


A 
250/250 characters remaining 


A 


remaining 


250/250 charac! 


- Scope Information: Decides the scope of the exception you are creating. By default, 
Resource option is selected. You could expand the scope of the exception to all resources 
in a specific account. 
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e Resource: Choose to create exception at resource level and the exception is 
applicable only for the selected resource. 


< Create Exception 


‘STEPS 2/4 : 
Scope Information 
The following scope will be associated with the exception. 
Basic Details 
Scope Information Scope * 
3 Select Controls © Resource () Connector 


4 Review Exception 
RESOURCE TYPE ‘SERVICES 


IAM User IAM 


Account Id: ¢ 


a 


You can associate maximum 200 resources with an exception during creation. For 
example, if you configure number of rows shown to be 200, and then select all 
resources on the page and click Create Exception from Actions menu. 


< Control Evaluation: Ensure access key1 is rotated every 90 days or less 


CID-4 Ensure access key1 is rotated every 90 days or less View Less a 
Policy: CIS Amazon Web Services Foundations Benchmark Platform: AWS 
Evaluation: Check active key1 is been rotated within 90 days. Service: 1AM 
Remediation: criticality: I 
>< resource-result:FAIL (>) Last24Hrs v 


z Actions (200) ¥ 


1-200 of 2031 
Re-evaluate EVALUATED ON 
Create Exception = n — 
> 383031258652 an hour ago Evidence = 
‘amzaws:iam::383031258652:user/undef441286 a 
= undef590621 383031258652 an hour ago Evidence 
am:aws:iam::383031258652:user/undef590621 
>  undef1138893 383031258652 an hour ago Evidence 
am:aws:iam::383031258652:user/undef1138893 
z) mamila 383031258652 an hour ago Evidence 


am:aws:iam::383031258652:user/rmamilla 


As a result, all the selected 200 resources get associated with the exception you 
create. As we have a limitation of displaying 200 rows on a page, we cannot 
associate more than 200 resources with a single exception. 
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e Connector: Choose to create exception for all resources in the account associated 
with the connector. By default, the connector associated with the resource is 
selected. You could click Add More Connectors to add multiple connectors for the 


exception : 
< Create Exception 
STEPS 2/4 i 
Scope Information 
The following scope will be associated with the exception. 
Basic Details 
[ Scope Information Scope * 
3 Select Controls D Resource @) Connector 
4 Review Exception Note: 


Exception with the same connector and control combination may exist. 


Selected Connectors (1) PICE 
CONNECTOR NAME ACCOUNT ID ACCOUNT ALIAS 
pw117-cv-connector Q 


Cancel | Previous Next 


Note: The exception created at connector level is implemented on the resource evaluation 
result in the next connector run. 


- Controls: The control for which the evaluation failed is auto-populated. Click Add More 
Controls to include more controls of the same resource type. 


< Create Exception 


STEPS 3/4 
Select Controls 
The following controls are automatically added to the exception. You can add more controls of the same resource type or remove the 
Basic Details automatically added controls. 
Scope Information 
Selected Controls (1) 
Select Controls 
CiD CONTROL NAME 
4 Review Exception 
2 Ensure console credentials unused for 90 days or greater are disabled rx} 


Cancel Previous 


4. Review the information you provide for the exception and click Create Exception. 


That’s it! The exception is created. The exceptions you create are listed in Exceptions tab. 
Go to Policy > Exceptions to view the list of all exceptions. 
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Once the exception is in ACTIVE status, the resource result immediately changes from Fail 
to PassE (Pass with Exception). The Exception Details section in Evidence displays all the 
exception details. The exception details are updated only when the exception status 
changes or on every connector run. 


< Control Evaluation: Ensure IAM password policy prevents password reuse 


CID-12 Ensure IAM password policy prevents password reuse View Less 3 
Policy: CIS Amazon Web Services Foundations Benchmark Platform: AWS 
Evaluation: Check "Number of passwords to remember" is set to 24 Service: IAM 


Manual í 
Remediation: [_ Mew steps Criticality 


Q Search for evaluations... e Last 90 Days v 
1-20f 2 
RE 
636123215182 14 days ago Evidence = 
791005424431 Vapa DF Evidence 
EVIDENCE DETAILS ViewinAWS Console [Restate 
Exception View Details 
Exception Name Reason Status 
Sample Exception False Positive 
Created By Exception Start Date Exception End Date 
user_john (John Doe) December 4, 2020 12:00 AM December 31, 2020 11:59 PM 
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View Exceptions 


Go to Policy > Exceptions to see exceptions. Select View from the quick actions menu for 
any exception to view complete details about the exception. You can also view a history 
log for the exception. 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 20m 


Policy Controls 


Search for exceptions... 


7 Fl Actions (1) ¥ 


Total Exceptions 


demo-123 False Positive Dec 1, 2020 May 28, 2021 
Quick Actions w 


Create Exception False Positive Nov 27, 2020 Nov 29, 2020 


Delete 
52047 False Positive Nov 5, 2020 Nov 6, 2020 


False Positive 


Other 52085 False Positive Nov 5, 2020 Nov 6, 2020 
Risk Accepted 


52016 Risk Accepted Nov 5, 2020 Nov 6, 2020 


52027 - all Nov 5, 2020 Nov 6, 2020 


52027- single Nov 5, 2020 Nov 6, 2020 


Edit Exceptions? 


You can edit exceptions when they are in active status. You can change the start date, end 
date, explanation, controls associated with the exception, information security policy, and 
information security procedure. Go to Policy > Exceptions to see exceptions. Select View 
from the quick actions menu. Click Edit in the Exception Summary tab to edit the required 
exception details. 


< Exception Details: demo-123 
View Mode Basic Details 


Exception Name Reason Status 
Exception Summary demo-123 False Positive ACTIVE 
History 
Created By Exception Start Date Exception End Date 
user_john (John Doe) December 1, 2020 10:27 AM May 28, 2021 12:30 PM 
Created On Provider Explanation 
December 1, 2020 10:27 AM AZURE demo-123 


Modified By Information Security Policy Information Security Procedure 
user john (John Doe) NA NA 
Resources (1) 
test-areddy irdss-server 9de9e0a7-4167-4812.9174-2246853844e1 SQL SERVER AZURE SQL 
Controls (1) 
aL 
50002 Ensure no SQL Servers allow ingress from Internet (ANY IP) 


86 


Securing Cloud Resources 
Exceptions 


Note: You cannot edit exceptions that are expired. 


Delete exceptions? 


Yes. Users with required permissions can delete any exception. Users with reader 
permissions can only view exceptions. 


Important - When exceptions are deleted, the exception history is permanently removed 
and cannot be recovered. 


Exception History 


All actions are logged in the exception history with the name of the user who performed 
the action and a time stamp for when the action took place. Select View from the quick 
actions menu for any exception and then go to the History section. The original exception 
request and each action taken on the exception since the request are listed. 


Exception Status 
Exception status levels include: 


Inactive: An exception is in inactive status if the current date is lesser than the start date 
of the Exception. Once the current date and start date match, the exception automatically 
changes to active status. 


Active: An exception is in active status when the current date falls between the start date 
and end date of the Exception. 


Expired: An exception is in expired status if the current date exceeds the end date of the 
Exception. When an exception is expired, a status of Fail appears again for the resource in 
control evaluation. 


Use Existing Exception to Create New Exception 


Go to Policy > Exceptions to see exceptions. Select an existing exception from the list and 
click Copy from the quick actions menu. The exception creation wizard is displayed with 
settings pre-configured from the existing exception. Thus, you can alter the required 
settings and create a new exception using the pre-populated configuration. 
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Policies and Controls 
Customize Controls 


Policies and Controls 


CloudView continuously discovers resources and ensures resources are compliant in 
relation to respective Benchmark & Best Practices policy provided out-of-the-box. 


Customize Controls 


Controls are the building blocks of the policies used to measure and report compliance for 
a set of hosts. We provide many controls for you to choose from and you can customize 
them too. Controls play the key part in the compliance posture of resource. 
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System Controls 


System-defined Control is a predefined control provided by Qualys. Few system-defined 
controls are customizable while others are not. The control indicator icon tells us if the 
control is customizable or not. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Controls 


provider: "AWS" 


145 


Total Controls 


1 Ensure multi-factor authentication (MFA)... aws System Defined SYSTEM 
TYPE Service: IAM 42 minutes ago 
System Defined 107 2 Ensure console credentials unused for 9... aws System Defined SYSTEM 
User Defined 38 Service: IAM 42 minutes ago 
3 Ensure access keys unused for 90 days o... aws System Defined SYSTEM 
CRITICALITY 2 » à S d i 
Service: IAM 42 minutes ago 
HIGH 127 
MEDIUM 16 4 Ensure access key1 is rotated every 90 d... aws System Defined SYSTEM 
LOW 2 Service: |AM 42 minutes ago 
5 Ensure access key2 is rotated every 90 d... aws System Defined SYSTEM 


SERVICES 


Service: |AM 42 minutes ago 


- for System Defined Controls. Such controls cannot be customized. You cannot alter 
the parameter values for such system-defined controls. 


% - used to indicate that the control can be customized to suit your need. You can 
change the parameters values for such controls and customize them as per your 
organization’s requirements. 

User-Defined Controls 


% used to indicate that the control can be customized. You can copy any system-defined 
control to make your own user-defined controls that you can customize to meet your 
needs. 

Controls Category: Execution Type 


The column "Execution Type" on the Controls tab tells you the type of control. The 
categorization is done depending on the execution type of the control. 


- Run Time Controls are controls for evaluations on deployed cloud resources. 


- Build Time Controls are controls for cloud resources that reside within the IaC 
templates. 


- Run & Build Time Controls are controls for evaluations on cloud resources in your 
environment and those which reside within the IaC templates. 
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Control Criticality 


You can modify the criticality of any control to suit your need. If the control criticality 
needs to be changed to match your environment, you can select the control, select Change 
Criticality from quick action menu. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS 


Controls 


provider: "AWS” 
145 = Demn] 


Total Controls 


1 Ensure multi-factor authentication (MFA)... aws 
TYPE Service: IAM 
System Defined 107 m 2 fo] Ensure console credentials aae aws 
User Defined 38 Service: IAM Quick Actions v 

3 Ensure access keys unuse aws 
CRITICALITY . á View as 

Service: IAM 
HIGH 127 Change Criticality 
MEDIUM 16 4 fo: Ensure access key1 is rota aws 
Create Copy 

LOW 2 Service: IAM 

5 a Ensure access key2 is rotated every 90 d... aws 
SERVICES X Service: IAM 


Select the criticality you want to assign to the control and click Change Criticality. 


Change Criticality 


Depending the impact, you want this control to have, you can set the criticality to High, Medium, Low. 


© EEJ (system Default) 
Controls with severe impact. 


Controls with medium impact. 


Controls with minimal impact. 


| Cancel | Change Criticality 


Note: When you change criticality, the revised control criticality for existing 
evaluations is effective on Monitor View upon next connector run. 


Let us consider a scenario where a control with HIGH criticality evaluated three resources. 
Now, if you change the criticality of the control to LOW, the change in evaluation results 
reflects only after connector run. During the connector run, assume that only two 
resources get detected. The control evaluation results for resources that get detected post 
connector run will reflect LOW criticality. However, control evaluation result for the 
resource that did not get detected post connector run will be counted as HIGH criticality. 
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Policies and Controls 
Customize Controls 


Copy Control and Customize 


Go to Policy > Controls and select the control to be customized, select Create Copy from 
the quick action menu. The icon is used to indicate that the control can be 
customized. Currently, 12 AWS and 3 Azure controls are customizable. 


You can then modify the parameters of the control as per your requirement and save the 
customized control. The customized control is available to associate with policy and 
evaluate the resources. 


For example, let us modify the minimum password length to 10 for AWS CID 11. 


(1) Select the control and click Create Copy from quick action menu. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS 


Policy tits Controls 


| provider: "AWS" 


145 > D 


Total Controls 


1 Ensure multi-factor authentication (MFA)... aws 
TYPE Service: IAM 
System Defined 107 7 2 Fo Ensure console credentials Pe aws 
User Defined 38 Service: IAM Quick Actions v z 
3 Ensure access keys unuse i aws 
CRITICALITY - = i View as 
Service: IAM 
HIGH 127 Change Criticality 
MEDIUM 16 4 Ensure access key1 is rota aws 
: e 
LOW 2 Service: IAM 
5 a Ensure access key2 is rotated every 90 d... aws 
SERVICES j Service: IAM = 


(2) Change the name of control and criticality if needed. Click Next 


(3) Set the expected value in Evaluation Parameter to 10. Change other aspects such as 
Evaluation Description, Evaluation Message as per your need. Click Next. 


(4) Update the Additional Details if needed. Click Create. 


That's it! Your new custom control is ready to use. 


Can | edit controls? 

Yes. Choose the user-defined control to be edited and choose Edit from the quick action 
menu. You can edit only user-defined controls. You cannot edit system-defined control. 
Can | delete controls? 


Yes. Choose the user-defined control to be deleted and choose Edit from the quick action 
menu. You can delete only user-defined controls. You cannot delete system-defined 
control. 
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Policies and Controls 
Build Your Own Policy 


Build Your Own Policy 


A policy is a collection of controls used to measure and report compliance for a set of 
resources. Your compliance reports will show you resource compliance status (pass or fail) 
with the policy controls. You could use the policies we provide of build your own policy. 
System Defined Policy 


CloudView continuously discovers resources and ensures resources are compliant in 
relation to respective Benchmark & Best Practices policy provided out-of-the-box. To view 
the complete list of policies and associated controls that Qualys provides, refer to 
Appendix: List of Policies and Controls. 


Set Up Your Own Policy (Custom Policy) 


You can create your own custom policy and associate the required the controls to be 
evaluated for the custom policy. 


(1) Navigate to Policy > Policy > New. 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 
— 


Policy Controls 


Q 


EI 


(2) Provide the basic details for the custom policy such as name, description, select the 
cloud provider, and select the type of execution controls to be included in the policy. 


You could choose the controls depending on their execution type: 
- Run Time: controls for evaluations on deployed cloud resources. 


- Build Time: controls for evaluations on cloud resources within the IaC templates. 
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Policies and Controls 
Build Your Own Policy 


Click Next. 


< Create: Policy 


STEPS 1/4 R f 
Policy Details 


Provide the details needed for policy creation. 
@ Basic Details 


2 Select Controls 


Name Required 
23 Choose Connectors My Custom Policy 
a Review 

Description 


Sample Policy 


Provider 


AWS v 


(3) Associating Controls: 

- System Defined 

-User defined 

Select the controls to be associated with the policy and click Add. Click Next. 


< Create: Policy 


STEPS 2/4 


Basic Details 
Select Controls 


2 Choose Connectors 


Select Controls 


Select controls and associate them with the policy. 


es No controls are selected 


Click to select the controls. 


© List: Select Controls to add 


Q Search for controls 


(| Add (6) E 
Total Controls 


Cancel Previous 
cD CONTROL NAME PLATFORM TYPE MODIFIED BY 
zm 1 a Ensure multi-factor authentication (MFA) is ... aws System Defined SYSTEM 
Service: IAM 3 days ago 
System Defined 108 Ae fe Ensure console credentials unused for 90 da... ws System Defined SYSTEM 
User Defined 1 Service: IAM 3 days ago 
3 % Ensure access keys unused for 90 days or gr... aws System Defined SYSTEM 
CRITICALITY 3 
Service: IAM 3 days ago 
HIGH 93 
MEDIUM 15 Te od Ensure access key1 is rotated every 90 days... aws System Defined SYSTEM 
Low 1 Service: IAM 3 days ago 
g 5 o Ensure access key2 is rotated every 90 days... AWS. System Defined SYSTEM 
SERVICES Service: IAM 3 days ago 
RDS 34 
IAM 23 g 6 a Ensure IAM Password Policy is Enabled aws System Defined SYSTEM 
CloudTrail 20 Service: IAM 3 days ago 
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Policies and Controls 
Build Your Own Policy 


You can associate system-defined controls or create your own custom control using 
existing control to suit your need. For more information, refer to Customize Controls. 


(4) Select the connector groups or connectors that should be analyzed for policy 
compliance. Click Next. 


< Create: Policy 
STEPS 3/4 
| Choose Connectors 
| Tell us the connectors you want to analyze for compliance with this policy 
é Basic Details 
| 
| 


Select Controls ination of groups and connectors, and we'll evaluate the policy against all matching 


Choose Connectors 


That’s it. Your custom policy is ready to use. 


Policy Search 


Find all about your policies and get up to date information quickly using Qualys Advanced 
Search. Start typing in the Search field and we'll show you the properties you can search 
such as policy.name, provider, etc. Select the one you're interested in. 


Search for policies based on the properties. 


Now enter the value you want to match, and press Enter. That's it! Your matches will 
appear in the list. For detailed steps on how to form search queries, click here. 


Associating Controls 


You could build your policy by associating relevant controls to it. 
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Reports 
Assessment Reports 


Reports 


You can generate reports to view the compliance posture of your cloud resources. Run 
reports to learn whether your resources are compliant with mandates and compliance 
policies. 


The reports you could generate are: 


Assessment Reports 


You can generate a report to view the compliance evaluation of your resources for 
multiple policies in your cloud environment. You can use our Qualys Query Language 
(QQL) query driven report wizard to generate on-demand assessment report. When the 
report is successfully created, you can also download it in CSV or PDF format using our 
quick actions menu. For detailed information and steps on Assessment report, see 
Assessment Reports. 


On-Screen Reports 


Create a custom template for the reports by telling us the settings. The report templates 
are saved and available to you. Every time you want to view the report, just select Run 
Report from the quick actions menu. You can edit the report template to reconfigure or 
change the report settings. Depending on the criteria you define in the report template, 
you could generate two types of reports: Mandate Based Reporting and Policy Based 
Report. 


Assessment Reports 


Use assessment reports to view the compliance of your resources for the defined policies 
in CloudView. You can use Qualys Query Language (QQL) to generate the on-demand 
assessment reports. 


Create an assessment report by telling us the settings. The report settings are saved and 
available to you. Once you generate an assessment report, you can view the report 
summary, reconfigure the report settings, and download the report in CSV or PDF format. 
Tell me the Steps 

It's easy to create a custom report template. 


1) Just go to Reports > Reports tab and then click Create New Report. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 
pied 
Reports Reports BONART eres 
Q = 
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Reports 
Assessment Reports 


2) Provide a title and description (optional) to the report template. 


< Create Report 


STEPS 1/3 : i 
Basic Information 


Provide basic details for the report generation. 
o Basic Information 


2 Report Source Report Name * 


3 Review & Confirm Sample Assessment Report 


Report Description 


Provide a description of the report. 


4 
214/250 characters remaining 


Select Report Format 


© Comma-Seperated Value (CSV) @) Portable Document Format (PDF) 


3) Choose the report format: CSV or PDF. 


4) Select the cloud provider for which you want to generate the assessment report. 


< Create Report 


STEPS 2/3 
Report Source 


Report Details 
Report Template 


Report Source Assessment Report 
a CA Cloud Provider * 


AWS v 


Select Policies 


AWS Best Practices Policy x 


Select Connectors 
@ All Connectors (_) Groups / Connectors 


Search Query 


X control.criticality:HIGH Q Last24Hrs v 


Cancel | Previous | Next 


lÜ 


5) Select the required compliance policy from the Select Policy drop-down for which you 
want to evaluate your cloud resources. 


Note: 


- For CSV report format, you can select multiple policies. 
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Reports 
Assessment Reports 


- For PDF report format, you can select only one policy. 


6) Select the group, connector, or a combination of groups and connector you want to 
evaluate for compliance. 


7) Use evaluatedon search query token to specify the date criteria for report you want to 
generate. 


8) Select Resource Summary check box to include details resource ID, connector, control 
ID, resource type, evaluation date, and resource result in the report (applicable only for 
PDF report format). 


Note: Assessment reports containing up to 8k records with Resource Summary get 
successfully downloaded. Download of assessment report exceeding 8k records and 
Resource Summary is currently not supported for PDF reports. 


9) Resource Evaluation Result: Select the evaluation results to be included in the reports 
for resources evaluated against the controls that meet criteria defined in Search Query. 
You could choose from Pass, PassE (pass with exceptions), and Fail options. You can 
choose multiple options. 


10) Review the configured report settings in the Summary pane and then click Create and 
Run Report. 


< Create Report 


Basic Information 


STEPS 3/3 
Title Sample Assessment Report 
Report Details Description You can provide a description of the report 
Report Source 
ai Report Source 
Report Template Assessment Report 
Cloud Provider. AWS 
Policy AWS Best Practices Policy 


Connectors 


Connectors All Connectors 


Search Information 


Query (Last 24 Hrs) control.criticality:HIGH 


Cancel Create and Run Report 
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Reports 
On-Screen Reports 


Re-run Assessment Report 


lag 


To re-run a report, select the report from the Reports page and click Run Again from the 
quick actions menu. 


H 


The Create report wizard with pre-populated settings is displayed. You can retain the 
current report settings or edit as per your need. 


Click Run Report to initiate the report generation. 


The report is then listed on the Reports page. You can download the report once the status 
is Completed. 


Download Assessment Report 


= 


fo download a report, select the report from the Reports page and click Download from 
the quick actions menu. 


fe 


The report is downloaded in format you specified during report creation. 


View Assessment Report Settings 


H 


To view a report settings, select the report from the Reports page and click Info from the 
quick actions menu. 


(aa 


The Report Summary displays the report settings. 


Delete Assessment Report 


To delete a report, select the report from the Reports page and click Delete from the quick 
actions menu. 


A confirmation dialog box is displayed. Click Yes to proceed with the deletion of the report. 


The reports are automatically deleted after 7 days (from the date of creation). 


On-Screen Reports 


Create a custom template for the reports by telling us the settings. The report templates 
are saved and available to you. Every time you want to view the report, just select Run 
Report from the quick actions menu. 


You can edit the report template to reconfigure or change the report settings. Depending 
on the criteria you define in the report template, you could generate two types of reports: 
Mandate Report and Policy Report. 


Mandate Based Reporting 


Mandates are regulatory requirements, best practice standards or compliance frameworks 
designed by Security/business driven certification communities and/or government 
bodies. 


We support report generation of policies and mandates for all the cloud providers we 
support: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). 
To view the complete list of mandates that we support, see the List of Mandates section. 
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Reports 
On-Screen Reports 


Launch the Mandate Based Report to view the compliance posture of the organization in 
terms of the underlying Security baseline against selected Mandates. This allows you to 
choose any one mandates you have to comply with and get a view of compliance posture 


in terms of their selected policies. 


The reports are meant only for viewing and currently, we do not support saving, 


downloading or publishing the reports. 


Tell me the Steps 
It's easy to create a custom report template. 
1) Just go to Reports > On-Screen Reports > Create New Template. 


DASHBOARD RESOURCES MONITOR POLICY 


GOCE On-Screen Reports 


STEPS 1/3 : : 
Basic Information 


Provide basic details for the report generation. 
C1) Basic Information 


2 Choose Connectors Report Title * 


CONFIGURATION 


3 Summary My Custom Report Template 


Report Description 


Example Report 


Cloud Provider * 


GCP 


Report Type 


) Policy @ Mandate 


Select Policies * 


GCP Best Practices Policy * 


Select Mandate * 


CIS Critical Security Controls (Top 5) 


Select Format * 


On-Screen Report 


The On-Screen Report displays the latest data and is available only for viewing. The On-Screen Report can... 


Cancel 
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Reports 
On-Screen Reports 


3) Select the cloud provider for which you want to generate the mandate report. 
4) Select the Mandate in the report type and then click Next. 

-Select the Policy from the drop-down. You can select multiple policies. 

-Select the Mandate from the drop-down. You can select only one mandate. 


5) Select the groups, connector, or a combination of groups and connector you want to 
evaluate for compliance. 


< Create New Template 


STEPS 2/3 
Choose Connectors 
Tell us the connector(s) you want to analyze for the report. 
3 Basic Information 
Choose Connectors You can select a combination of groups and connectors, and we'll evaluate the report against all matching 
connectors 
3 Summary 


Groups * 


| GroupTest x x 


Connectors * 


| GCP-demo * @r 


Cancel Previous 
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Reports 
On-Screen Reports 


6) Review the configured report template settings in the Summary and then click Create 
Template and Run Report. 


< Create New Template 


STEPS 3/3 
Summary 


Review the report configuration options. 
Basic Information 


Choose Connectors Basic Information 

Summary TITLE: My Custom Report 
DESCRIPTION: Sample report 
CLOUD PROVIDER GCP 
POLICY: GCP Best Practices Policy 
MANDATE: CIS Critical Security Controls (Top 5) 
FORMAT: On-Screen Report 
Connectors 


SELECTED GROUPS (1): 


GroupTest * or 


SELECTED CONNECTORS (1): 


GCP-demo x @v 


The On-Screen Report displays the latest data and is available only for viewing. The On-Screen Report can... 
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Sample Mandate Based Report 


| < Report Data - My Custom Report 


Report Info 


Report info 


Projects 


Created Date Created By Username 
July 23, 2020 10:16 AM John Doe user_john 


Groups 
GroupTest 


Projects 


GCP-demo 
gcp-qualys-demo 


Report Summary 


Requirements Cloud Controls Matrix (CCM) - Ver 3.0.1 Controls 
16 12.26 % Compliant 8 


Policies 
1 


Report Statistics 


Requirement Posture 


Policy Based Report 


Report Summary 
Report Statistics 


Detailed Report 


Reports 
On-Screen Reports 


Policies are set of controls. We provide ability to generate policy specific compliance 
report. We support report generation of policies for all the cloud providers we support: 
Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). 


It's easy to create a custom report template. 


1) Just go to Reports > On-Screen Reports > Create New Template. 


CloudView ~ DASHBOARD 


Reports GOTICE On-Screen Reports 


Create New Template 
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MONITOR 


POLICY REPORTS 


CONFIGURATION 


2) Provide a title and description (optional) to the report template. 


< Create New Template 


STEPS 1/3 


Basic Information 


Provide basic details for the report generation. 


C7) Basic Information 


2 Choose Connectors Report Title * 


3 Summary My Custom Policy Report 


Report Description 


Sample description 


Cloud Provider * 


GCP 


Report Type 


@ Policy ©) Mandate 


Select Policies * 


GCP Best Practices Policy x 


Select Format * 


| On-Screen Report 


The On-Screen Report displays the latest data and is available only for viewing. The On-Screen Report can. 


3) Select the cloud provider for which you want to generate the policy report. 


Reports 


On-Screen Reports 


4) Select the Policy in the report type, select the Policy from the drop-down and then click 


Next. You can select multiple policies. 
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Reports 
On-Screen Reports 


4) Select the group, connector, or a combination of groups and connector you want to 
evaluate for compliance. 


< Create New Template 


STEPS 2/3 
Choose Connectors 
Tell us the connector(s) you want to analyze for the report. 

i Basic Information 

Choose Connectors You can select a combination of groups and connectors, and we'll evaluate the report against all matching 
connectors. 
3 Summary 

Groups * 


GroupTest x Q” 
Connectors * 


GCP-demo * (x A 


Cancel Previous 


5) Review the configured report template settings in the Summary and then click Create 
Template and Run Report. 


< Create New Template 


STEPS 3/3 
Summary 


Review the report configuration options. 
Basic Information 


Choose Connectors Basic Information 

Summary TITLE: My Custom Policy Report 
DESCRIPTION: Sample description 
CLOUD PROVIDER: GCP 
POLICY: GCP Best Practices Policy 
FORMAT.: On-Screen Report 
Connectors 


SELECTED GROUPS (1): 


| GroupTest x Q~ 


SELECTED CONNECTORS (1): 


| GCP-demo x Qr 


The On-Screen Report displays the latest data and is available only for viewing. The On-Screen Report can... 


Cancel Previous Create Template and Run Report 
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Sample Policy Based Report 


< Report Data - My Custom Policy Report 


Use to navigate to 


Report Info report sections * 


Created By 
John Doe 


Username 


Created Date 
user_john 


‘Cloud Provider 
July 23, 2020 10:07 AM GCP 


Groups 
GroupTest 


Projects 


GCP-demo 
gcp-qualys-demo 


Report Summary 


Policies GCP Best Practices Policy 


Controls Total Evaluations 
1 12.26 % Pass 


8 106 


Report Statistics 


Report Info 
Projects 

Report Summary 
Report Statistics 


Detailed Report, 


Overall Policy Posture 


N 


W Fail 87.74 % (93 of 106) 


Policy Posture 


GCP Best Practices Policy 
|” 


List of Mandates 

We support the following mandates for report generation. 
1 ISO/IEC 27001:2013 
2 Cloud Controls Matrix (CCM) 
3 NERC Critical Infrastructure Protection (CIP) 


106 


E Pass 12.26 % (13 of 106) 


0 
Detailed Report 
> GCP Best Practices Policy ele 13 


Reports 
On-Screen Reports 


28 


29 


30 


Reports 


On-Screen Reports 


Health Insurance Portability and Accountability (HIPAA) Security Rule 45 CFR 
Parts 160/164, Subparts A/C:1996 


ANSSI 40 Essential Measures for a Healthy Network 


The Australian Signals Directorate - The Essential 8 Strategies (ASD 8) 


Reserve Bank of India (RBI) - Baseline Cyber Security and Resilience Requirements 


Annex 1) 


General Data Protection Regulation (GDPR) 


Minimum Acceptable Risk Standards for Exchanges (MARS-E) 


NCSC Basic Cyber Security Controls (BCSC) 
IRS Publication 1075 
NIST Cyber Security Framework (CSF) 


Sarbanes-Oxley Act: IT Security 


NESA UAE Information Assurance Standards (IAS) 


APRA Prudential Practice Guide (PPG): CPG 234 - Management of Security Risk in 
nformation and Information Technology 


RDAI Guidelines On Information and Cyber Security for Insurers 


Monetary Authority of Singapore (MAS) - Notice 834: Cyber Hygiene Practices 
NIST Special Publication 800-171 


CIS Controls Version 8 


Criminal Justice Information Services (CJIS) Security Policy 


Cybersecurity Mat 
Cybersecurity Mat 
Cybersecurity Mat 
Cybersecurity Mat 


Cybersecurity Mat 


Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1 


SWIFT Customer Security Controls Framework - Customer Sec 


v2019 


ur 


ur: 


ur: 


ur: 


uri 


ty Model Cert 


ity Model Certif 
ity Model Cert 
ity Model Cert 


ity Model Cert 


“Cc 


ra 


C 


Dra 


cati 
icati 
cati 


cati 


cati 


on 


on 


on 


on 


on 


CMMC 
CMMC 
CMMC 
CMMC 
CMMC 


Level 1 
Level 2 
Level 4 
Level 5 
Level 3 


urity Programme 


Federal Risk and Authorization Management Program (FedRAMP H) - High 


Security Baseline 


Federal Risk and Authorization Management Program (FedRAMP M) - Moderate 


Security Baseline 


NIST 800-53 (Special Publication) 


107 


Responses 
Configure Rule-based Alerts 


Responses 


You can set up rules to alert you and keep you aware of resources that fail certain critical 
control evaluations and allow for fixing resource misconfigurations. Instead of having to 
actively monitor the system, these alerts ask for attention and intervention only when 
necessary, and make you aware of changes or significant findings as soon as the rules are 
met. 


For example, you can set up alerts for: 

- Resources failing for particular control 

- Evaluation result of highly critical controls 

- Evaluation result of controls of specific policy 


- Resources failing in the latest connector run 


Configure Rule-based Alerts 


Just tell us what you consider to be a significant finding or event and the mechanism in 
which you want to be alerted. 


| CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 2o 


Responses 


81.2K 


Total Activities 


RULE NAME 
IAM User failure 54K 
test 24.9K 


AWS RDS Enable 505 
Secu ps. 


Security Group SSH port consolidated report-1 
This rule will send consolidated S 


ACTION NAME 


alert notifications for Security group resources failures. 


15Jan 


Success Yes 


9 days ago 


Success Yes 


9 days ago 


Ì 20 Jan 11:30 AM-21 Jan 5:30AM: 81 [3s Jan 


1-50 of 81188 


QEmail-Action-1 5 John Doe 


QEmail-Action-1 5 John Doe 


(1) Define actions that the rule must take in response to the alert. For detailed steps, see 


Create and Manage Actions. 


(2) Set up your rules in the Rule Manager tab. For detailed steps, see Create and Manage 


Rules. 


(3) Monitor all the alerts that were sent after the rules were triggered. For detailed steps, 


see, Manage Alerts. 


That's it! You are all set to start being alerted about your cloud-resources. 
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Create and Manage Actions 


Create and Manage Actions 


Define the method in which you want to be alerted once any rule created by you is 
triggered. Alerts are initiated when events matching a condition is detected and the action 
you configure for the condition match is triggered. 


Actions that you can choose are send the alert messages by Email, PagerDuty or Post to 
Slack. 


Create a new Action 
(1) Go to Responses > Actions > New Action. 
(2) Provide required details in the respective sections to create a new action: 


In the Basic Information section, provide a name and description for the action. Select an 
action to specify the mode of sending alert messages by either Email (Via Qualys)/Send 
Email (Your SMTP), Post to Slack or Send to Pager Duty. 


(3) For the selected action, provide the required message settings. 


- Send Email (Via Qualys)/Send Email (Your SMTP) to receive email alerts. Specify the 
recipients’ email ID who will receive the alerts, subject of the alert message and the 
customized alert message. 


- Send to PagerDuty to send alerts to your PagerDuty account. Provide the service key to 
connect to your PagerDuty account. In Default Message Settings, specify the subject and 
the customized alert message. 


- Post to Slack to post alert messages to your Slack account. Provide the Webhook URI to 
connect to your slack account to post alert messages. In Default Message Settings, specify 
the subject of the alert message and the customized alert message. 


Basic Information 
Action Name * 


CloudView: Alert Email Created by John Doe 


Description * 


CloudView: Alert email created for resources that failed in the first evaluation. 


Send Email(Via Qualys) 
Post to Slack 


Send to PagerDuty 


Cancel 
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Create and Manage Rules 


Manage Actions 


View the newly created actions in the Actions tab with the details such as name of the 
action, type of the action, the number of rules for which this action is chosen are active or 
inactive and the user who created the rule. 


You can use the Actions menu (for bulk selections) or Quick Actions menu to edit action, 
delete actions and save an existing action along with its configuration to create a new 
action with a new name. Use the search bar to search for actions using the search tokens. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 20o 


Responses Activity Rule Manager 
Q = 11 Actions 

CloudView-Slack-Action ak slack 0 J3 January 8, 2021 10:54AM. ^ 
Email-Action-CloudView gemai x 3 January 18, 2021 10:32 PM 
Email-Action-CloudView ” 
PagerdutyAction-CloudView pd pagerduty 1 9 January 8, 2021 10:57 AM 
PagerdutyActior sdView oe 
QEmail-Action-update gemail 0 9 January 7, 2021 12:05 PM 
This action will send alert notifications t s on email.This is an update == 
RuleNavigation-Action gemail 0 0 January 14, 2021 2:03 PM 
RuleNavigation-Actioy 


Create and Manage Rules 


Rules can be used to define the criteria to trigger the alert notifications. You can use our 
pre-defined search tokens and form the queries for the criteria. You can then associate an 
action to be executed when the criteria defined in the rule is met. 

Create New Rule 

(1) Go to Responses > Rule Manager > New Rule. 


(2) Provide a name and description of the new rule in the Rule Name and Description. 


(3) In the Rule Query section, specify a query for the rule. The system uses this query to 
search for events. Use the Test Query button to test your query. Click Sample Queries link 
to select from the predefined queries. 
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Responses 
Create and Manage Rules 


(4) In the Trigger Criteria section, choose from three trigger criteria that work in 
conjunction with the rule query. The trigger criteria are: Single Match, Time-Window 
Count Match and Time-Window Scheduled Match. For more information on trigger 
criteria, see Trigger Criteria. 


Rule Details 


Provide the following information to create the rule 


Rule Information 


Rule Name * 


High Control Criticality Failure 


Description * 


Monitoring resources that were evaluated for the first time and failed for controls with high criticality. 


1894, 


Rule Query 
Provide a query to match particular source that will trigger the alert 


Rule Query * 


AWS Monitor control.result:FAIL and control.criticality:HIGH and firstEvaluated:[now-4h .. now] 
sample use 


Trigger Criteria 


Provide the match criteria 
Trigger Criteria * 


Single Match 


ren Sm | a eee A ee ee ee ee ee 


(5) In the Action Settings section, choose the actions that you want the system to perform 
when an alert is triggered. 


Action Settings 
Choose an appropriate alert action 
Actions * 


Email-Action-CloudView 


Email-Action-CloudView 


Recipient * 


pwaykole@qualys.com 
Subject * 

Email-Action-CloudView 
Message * 


Insert token ¥ 


Qualys CloudView: Cloud Security Assessment Alerts 


An assessment failure has been identified for resource "${resource.id}" and control CID: ${cid} in your Qualys subscription. = 


8/5000 characters remaining 
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Manage Alerts 


Manage Rules 


The Rule Manager tab lists all the rules that you have created with rule name, trigger 
criteria selected for the rule, alert message aggregating enabled or disabled for the rule, 
action chosen for the rule, date and time when the rule is last triggered and state of the 
rule, whether the rule is enabled or disabled and created date and time of the rule. 


You can use the Actions menu or Quick Actions menu to edit, enable, disable, delete rules 
and save an existing rule along with its configuration to create a new rule with a new 
name. Use the search bar to search for rules using the search tokens. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION zen 


Responses LEUS Rule Manager METLS 


Q = 14 rules 


v Scheduled Match Yes Email-Action-Clou. Enabled January 21, 2021 6:10 PM 


AWS Cloud Weekly Alert 
AWS Cloud Weekly Alert 


Policy Failures Single Match - Email-Action-Clou. January 19, 2021 D January 18, 2021 10:37 PM 
lur 


ndow Count Match No CVQA-Email-Action January 31, 2021 Enabled January 29, 2021 4:25 PM 


AWS RDS Enable Delete Termination 
This alert is to inform user to Enable Delete Termination for RDS insta 


QEmail-Action-1 Disabled January 7, 2021 12:15 PM 


rity Group SSH Port 
ule will notify users when th 


No Email-Action-Clou... January 29, 2021 Enabled January 21, 2021 3:26 PM 


Azure BYOK Compliance 
Azure BYOK Compliance 


Manage Alerts 


The Activity tab lists all the alerts. Here you will see for each alert, rule name, success or 
failure in sending the alert message, aggregate enabled (Yes) or disabled (No) for the rule, 
action chosen for the rule, matches found for the rule and the user who created the rule. 


-Search for alerts using our search tokens. 

-Select a period to view the rules triggered during that time frame. 

-Click any bar to jump to the alerts triggered in a certain time-frame. 

-Use these filters to group the alerts by rule name, action name, email recipients and 
status. 


Sample Queries 


Scenario 1: Rules with specific name and are successfully executed with PagerDuty action. 


ruleName:"api test sub name rule" and status:SUCCESS and 
action.type: PAGERDUTY 


Scenario 2: Rules that were triggered during a certain date range 


Fl 
wn 
wn 


statusDate: [2021-01-02 ... 2021-06-02] and status:SUCC 


Scenario 3: Rules with specific action triggered to specific recipient. 
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action.type:EMAIL and action.emailRecipient:abc@example.com 


Trigger Criteria 


- Select Single Match if you want the system to generate an alert each time the system 
detects an event matching your search query 


- Select Time-Window Count Match when you want to generate alerts based on the 
number of events returned by the search query in a fixed time interval. For example, an 
alert will be sent when three matching events are found within 15 minutes window.. 


Trigger Criteria 
Provide the match criteria 
Trigger Criteria * 


Time-Window Count Match 


Time-Window Count Match 
No Of Matching Events * In* 
3 15 Mins 
Aggregate Alerts Aggregate Group 
Yes account.id 


- Select Time-Window Scheduled Match when you want to generate alerts for matching 
events that occurred during a scheduled time. The rule will be triggered only when an 
event matching your search criteria is found during the time specified in the schedule. 
Choose a date and time range for creating a schedule and specify how often you want to 
run the schedule for example, daily, weekly and monthly. For example, send daily alerts 
with all matches in a scheduled window between 4pm and 5 pm. 


Trigger Criteria * 


Time-Window Scheduled Match 
Time-Window Schedule Match 


Time Window Starts on Start Time 


02/03/2021 5 4:00pm 


Time Window Ends On End Time 


02/03/2021 i 5:00pm 


Duration 


Repeats 


Daily 


Summary: Repeats everyday from 4:00pm to 5:00pm (1 Hour) 


Aggregate Alerts Aggregate Group 


Yes account.id 
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For the Weekly option, select the days of the week on which schedule will run. For 
example, send weekly alerts with all matches generated between 2.19 pm and 3.19 pm on 
every Monday and Wednesday. 


Repeats 


Weekly 


On Day Of The Week 


S [VM Tiviw T F sS 


Summary: Repeats monday and wednesday from 02:19 pm to 03:19 pm (1 Hour) 


For the Monthly option, specify the day of the month on which the schedule will run. For 
example, send monthly alerts on the first day of every month. 


Repeats 


Monthly 


Recurring Day 


1 day of the month 


Summary: Repeats every 1st day of the month from 02:19 pm to 03:19 pm (1 Hour) 


For Select Time-Window Count Match and Select Time-Window Scheduled Match, you 
have the option to aggregate the alerts by aggregate groups such as based on account Id, 
subscription Id, and so on. 


Alerting Permissions 


Assign permissions related to alerting to your user. Depending on the permissions 
assigned, the user can perform actions like creating, editing, or deleting rules and actions. 


Using the Administration module, the Manager user for that subscription can assign these 
permissions to other users. 


Only the user having the Alerting Access permission can view the Responses tab on the 
CloudView UI. 
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Remediating Cloud Resources 


CloudView provides you information on resource misconfigurations. With the remediation 
feature, you can: 


- Remediate resource misconfigurations 
- Perform actions on cloud resources 
You can remediate your AWS, Azure, and GCP resource misconfigurations. 


By default the remediation feature is enabled only for Cloud Security Assessment (CSA) 
users. 


Configuring Remediation 


You can not only detect and evaluate cloud resources but also remediate resources in your 
cloud environment. You can quickly fix resource misconfigurations and remediate your 
cloud resources. 

Pre-requisites 

Ensure that you have the following modules available in your subscription: 

- Cloud Security Assessment (CSA) Subscription 

- Administration 


If you need access to a module, please contact your Qualys Technical Account Manager 
(TAM). 


A user with Manager role or sub-user with Manage Remediation permission can use the 
remediation feature. For more information on the configuring access for remediation, see 
Managing Remediation Permission. 


Quick Steps 


With the remediation enabled for the connectors, while resources are discovered and 
evaluated by CloudView, you are provided with one-click remediation option. We will walk 
you through the steps. 


Step 1. Configure Connectors For Remediation 


Configuration connectors for remediation involves two steps: enable remediation for the 
connector and then assign write access for the connector 


The detailed steps for each cloud provider: 
Configure Remediation for New Connectors: AWS 


Configure Remediation: Microsoft Azure 


Configure Remediation: GCP 


116 


Remediating Cloud Resources 
Configure Remediation for New Connectors: AWS 


Step 2. Remediating Cloud Resources 


The Monitor tab lists the controls that are available for remediation and the count of 
failed evaluations that could be remediated. 


Step 3. Actions for Cloud Resources (AWS) 


The Resources tab provides you with actions that you can execute on instances to quickly 
fix unknown behavior of an instance or vulnerability on an instance. 


Configure Remediation for New Connectors: AWS 


You can enable remediation when you create AWS connectors or edit existing connectors. 
It just takes a couple of minutes. 

Enable Remediation for New Connectors 

Go to the Configuration > Amazon Web Services tab and click Create Connector. 


Provide a name and description (optional) for your connector. Configure the required 
settings for the AWS connector. For detailed information on connector creations steps, 
refer to Steps to Create AWS Connector. 


| < Create AWS Connector | 


Connector Details 


Give your connector a name and provide a description (optional). Want to configure remediation? 


Name * Using CloudFormation template: 


My Remediation Connector 1. Download the CloudFormation template, 


2. Log in to Amazon Web Services (AWS) and go to 
CloudFormation. 
escription 
3. Create stack & upload templat: 
Sample description eate stack & upload template. 
4. When the stack is complete, copy the Role ARN value from 


the output and paste it into the connector details. 
Configuring Remediation: 
For detailed steps on configuring remediation, refer to the 
Remediation Getting Started Guide 


AaS RIRCUP COMPO TYE a A adn lh a mantani ee ee P m ee T ee GO a 


you have write access to the AWS account for which you enable 


Select Enable Remediation check box to enable remediation for the connector. 


Ensure that the connector has write access to the AWS account for which you enable 
remediation. For more information on assigning write access, refer to Configuration on 
AWS Console section. 


All the resources detected by this connector will be evaluated. You can then initiate 
remediation for the failed resources. 
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Pi 


Then click Create Connector. 


(an 


That’s it! The connector will establish a connection with AWS to start discovering 
resources from each region and evaluate them against policies. 
Configuration on AWS Console 


You could either use cloud formation template or manually configure the roles and 
permissions needed for remediation. 


Configuration Using CloudFormation Template: 

1. Download the CloudFormation template from the Create AWS Connector window. 
2. Log on to Amazon Web Services (AWS) and go to CloudFormation. 

3. Create stack & upload the template. 


When the stack creation is complete, copy the Role ARN value from the output and paste 
it into the connector details. 


Manual Configuration 


The manual configuration for remediation includes two parts: creating custom policy and 
adding the custom policy to the IAM role. 


Creating Custom Policy 
1. Go to IAM console at https://console.aws.amazon.com/iam/. 
2. In the left navigation pane, choose Policies. 
3. Click Create policy. 
4. Click JSON tab. 
5. Paste the following policy document into the JSON tab. 
{ 


"Version": "2012-10-17", 
"Statement": [ 
{ 
"Sid": "RemediationPermission", 
"Effect": "Allow", 
"Action": I 


"ec2:RevokeSecurityGroupIngress", 

"ec2:AuthorizeSecurityGroupIngress", 
DisassociatelamInstanceProfile", 
StopInstances", 

"ec2:ModifySnapshotAttribute", 
ModifyImageAttribute", 
u 
u 
u 


"s3:PutBucketPublicAccessBlock", 
"s3:PutAccountPublicAccessBlock", 
"s3:PutBucketVersioning", 
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"rds:ModifyDBInstance", 
"rds :ModifyDBClusterSnapshotAttribute", 
"rds:ModifyDBCluster", 
"redshift:ModifyCluster" 

l, 


"Resource": "x" 


} 
6. Click Review policy. 


7. On the Review policy page, type a Name and a Description (optional). 
8. Click Create policy. 

Adding Policy to IAM Role 

1.Go to IAM console at https://console.aws.amazon.com/iam/. 

2. In the left navigation pane, choose Roles. 


3. From the IAM Roles displayed, choose the IAM Role provided during the connector 
creation step in CloudView. 


4. Go to Permissions tab and choose Attach policies. 
5. Select the check box on the left for the Custom policy you created above. 
6. Click Attach policy. 
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Enable Remediation for Existing AWS Connectors 


Go to Configuration > Amazon Web Services and select the connector for which you would 
want to edit the details. From the quick actions menu, select View and go to Connector 


Information tab and click Edit. 


Edit Connector 


Connector Details 


Connector Name * 


AWS New_21 


A en ee Oe Oe F ae T W ae 


Enable Remediation 
Remediation allows you to resolve misconfigurations and execute actions against resource. Ensure that you have write 
access to the AWS account for which you enable remediation. 


_ | Create Connector in AssetView 
Select to automate creation of same connector in AssetView. Ensure that your account has the required permissions in 
AssetView module for the connector to be created in AssetView. 


You can edit the required details. Select the Enable Remediation check box and click Save. 
Once you edit the connector settings, ensure that you also configure the roles and 
permissions needed for remediation on the AWS console. For more information on 
configuration of roles and permissions on AWS console, refer to Configuration on AWS 


Console section. 


To fetch the updated resources, you need to select Run from the quick actions menu for 
the AWS connector. 
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Configure Remediation: Microsoft Azure 

Configure Microsoft Azure connectors for gathering resource information from your 
Microsoft Azure account. It just takes a couple of minutes. 

Pre-requisites 

Before you create an Azure connector, ensure that you meet the following requirements: 


- Enable Remediation for Azure Connector to register an application with your Azure 
Active Directory. 


- Check Azure Subscription permissions to assign the application to a role in your Azure 
subscription. 

Enable Remediation for New Azure Connectors 

On the Configuration tab, select Microsoft Azure > Create Connector. 


Provide a name and description (optional) for your connector. Configure the required 
settings for the Azure connector. For detailed information on connector creations steps, 
refer to Steps to Create Azure Connector. 


< Create Azure Connector 


cation and get Application 


Connector Details Create application in Azure Active Directory and you can then nof 


the application ID and directory ID. 


e your connector a name and provi escription (optional. 


1. Log on to the Microsoft Azure console. Go to Azure Active 
Directory in the left navigation pane, then App 

Name * Registrations. 
My Azure Connector 2. Click New registration and provide these details: 


a. Name: A name for the application (e.g 


a My_Azure_Connector) 


b. Supported account types: Select Accounts in any 


Sample description 
organizational directory 


3. Click Register. The newly created is displayed with its 
properties. Copy the Application (client)ID and Directory 
(tenant)IDand paste it into the connector details. 
Account Type Generate Authentication Key 


© Global US GovCloud 


Polling Frequency 


Configure the interval at which the connector should fetch data from Microsoft Azure cloud provider. 


ae a SP TO ET OO OO eT OTTO aca 


[Z] Enable Remediation 


Select Enable Remediation check box to enable remediation for the connector. 
Click Create Connector. 


That’s it! The connector will establish a connection with Microsoft Azure to start 
discovering resources from each region and evaluate them against policies. 
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Configuration on Microsoft Azure Console 


You can configure the roles and permissions needed for remediation on the Microsoft 
Azure portal. 


Manual Configuration 


The manual configuration for remediation includes two parts: creating custom role and 
adding the custom role to the application. 


Creating Custom Role 
1. Go to IAM console on the Microsoft Azure Portal. 


2. In the search bar, search for Subscriptions and click Subscriptions, under the Services 
category. 


3. In the Subscriptions page, choose your subscription. 
4. Click Access control (IAM) navigation pane. 
5. Scroll to Create a custom role card and click Add. 


6. Provide a name for the Custom role, select Start from scratch option for Baseline 
permissions and click Next. 


7. On the Permissions tab, click Add permissions and add the permissions listed below: 


- Microsoft.Sql/servers/firewallRules/delete 


- Microsoft.Storage/storageAccounts/write 
- Microsoft.Storage/storageAccounts/blobServices/containers/write 
- Microsoft.Network/networkSecurityGroups/write 
- Microsoft.Web/sites/config/write 
- Microsoft.Web/sites/write 
8. Click Review + create. 


9. Click Create. 
Adding Custom Role to the application 
1. Go to the Microsoft Azure Portal. 


2. In the search bar, search for Subscriptions and click Subscriptions under the Services 
category. 


3. On the Subscriptions page, choose your subscription. 
4. Click Access control (IAM) navigation pane. 
5. Find Add a role assignment card and click Add. 


6. In the Role field, choose the custom role you created (If the custom role does not appear 
in the drop-down, refresh the page). 


7. Select drop-down choose the App provide during the connector creation. 


8. Click Save. 
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Enabling Remediation for Existing Azure Connectors 


Go to Configuration > Microsoft Azure and select the connector for which you would want 
to edit the details. From the quick actions menu, select View and go to Connector 
Information tab and click Edit. 


Edit Connector 


Connector Details 


Connector Name * 


My Azure Connector 


Subscription ID * 


Enable Remediation 


Remediation allows you to resolve misconfigurations. Ensure that you have write access to the Microsoft Azure 
subscription for which you enable remediation. 


Coe | 


You can edit the required details. Select the Enable Remediation check box and click Save. 
Once you edit the connector settings, ensure that you also configure the roles and 
permissions needed for remediation on the Azure console. 


For more information on configuration of roles and permissions on Microsoft Azure 
console, refer to Configuration on Microsoft Azure Console. 


To fetch the updated resources, you need to select Run from the quick actions menu for 
the Azure connector. 


Configure Remediation: GCP 


Configure a Google Cloud Platform (GCP) connector for gathering resource information 
from your Google Cloud Platform project. It just takes a couple of minutes. 


Enable Remediation for New GCP Connectors 


Go to the Configuration > Google Cloud Platform and then click Create Connector. 


123 


Remediating Cloud Resources 
Configure Remediation: GCP 


Provide a name and description (optional) for your connector. Configure the required 
settings for the GCP connector. For detailed information on connector creations steps, 
refer to Steps to Create GCP Connector. 


Enable access to some API's in API library 


Connector Details Enable access to some APT's in API library 


Give your connector a name and provide a description (optional 1. Log on to Google Cloud Platform (GCP) console. 


2. Select the organization. 


Name * 3. Select a project or create a new project. Ensure that you 
select the correct project 
My GCP Connector ae 
4. In the left sidebar, navigate to APIs and Services > Library. 
5. In API Library, click the following APIs and enable them. If 
you need help finding the API, use the search field 
Sample description - Compute Engine API 
- Cloud Resource Manager API 


Description 


- Kubernetes Engine API 
- Cloud SQL Admin API 
- BigQuery API 
- Cloud Functions API 
- Cloud DNS API 
- Cloud Key Management Service (KMS) API 
Configure the interval at which the connector should fetch data from GCP cloud provider. - Cloud Logging API 
- Stackdriver Monitoring API 


Polling Frequency 


Hours Minutes 
z ° Create service account and download configuration file 


Authentication Details 


Configuration File 


Enable Remediation 


| Cancel 


Select Enable Remediation check box to enable remediation for the connector. All the 
resources detected by this connector will be evaluated. You can then initiate remediation 
for the failed resources. 


(an 


Then click Create Connector. 


That’s it! The connector will establish a connection with GCP to start discovering 
resources from each region. 
Configuration on GCP Console 


You could manually configure the roles and permissions needed for remediation on the 
Google Cloud Platform portal. The configuration for remediation includes two parts: 


Creating Custom Role 
1. Go to IAM console on the Google Cloud Platform Portal. 


2. From the drop-down list at the top, select the project for which you want to create a 
role. 


3. Click CREATE ROLE and provide the required details. 
4. Click Add Permissions. 
5. In the Add Permissions window, add the following permissions: 


- compute.firewalls.update 
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- compute.instances.setMetadata 
- storage.buckets.setIamPolicy 
- cloudfunctions.functions.setIamPolicy 
- bigquery.datasets.update 
- cloudsgql.instances.update 
- cloudkms.cryptoKeys.setIamPolicy 
6. Click CREATE. 


The custom role is created. You need to add the custom role to the IAM member. 
Adding Custom Role to the IAM Member 

1.Go to IAM-Admin page on the Google Cloud Platform Portal - IAM Admin. 

2. In the IAM members list, choose the member used for creating the connector. 
3. Click the edit icon on the right side of the Selected IAM member row. 


4. In the Edit permissions window, click ADD ANOTHER ROLE and then choose the Custom 
role created in the above step. 


5. Click Save. 

The custom role is added to the IAM member. 

Add Compute Engine default service account access to CloudView service account 

1. Go to Service accounts page by visiting Google Cloud Platform Portal - Service Accounts. 


2. From the service accounts list select Compute Engine default service accounts, which is 
of pattern PROJECT_NUMBER-compute@developer.gserviceaccount.com and check the 
box on the left. 


3. On the right pane, click ADD MEMBER. 


4. In the New members field, choose the service account provided during connector 
creation. 


5. In Select a role field, choose Service Account User role. 


6. Click SAVE. 
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Enabling Remediation for Existing GCP Connectors 


Go to Configuration > Google Cloud Platform and select the connector for which you 
would want to edit the details. From the quick actions menu, select View and go to 
Connector Information tab and click Edit. 


Edit Connector 


Connector Details 


Connector Name * 


My GCP Connector 


Authentication Details 


Configuration File 


= S file he atta browse 


Enable Remediation 


Remediation allows you to resolve misconfigurations. Ensure that you have write access to the Google Cloud Platform 
project for which you enable remediation. 


You can edit the required details. Select the Enable Remediation check box and click Save. 
Remediation is enabled for the connector. Once you edit the connector settings, ensure 
that you also configure the roles and permissions needed for remediation on the GCP 
console. 


For more information on configuration of roles and permissions on GCP console, refer to 
Configuration on GCP Console. 


To fetch the updated resources, you need to select Run from the quick actions menu for 
the GCP connector. 
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Viewing Remediation Activity 


You can view the all the remediation activities that are triggered in your Qualys account 
for all the 3 cloud providers. 


Go to Responses > Remediation Activity. Activities for every cloud are listed under the 
respective sub tabs. 


You could use filters listed in the left pane or form search queries using the search tokens 
supported by Qualys Query Language (QQL) to filter the activities. 


By default, the remediation activity logs are retained for 30 days. The logs older than 30 
days are automatically deleted. 
Remediation Activity: AWS 


All the activities that are triggered for AWS resources are listed under Responses > 
Remediation Activity> AWS sub-tab. The Action column indicates the type of remediation 
activity initiated for a resource. 


Remediation Activity [CQ MMC GL COLT game Clary 


Q Last30Days v = 
20 Apr 22 Ap 24 Apr 26 Apr 28 Apr 30 Apr 2 May 4 May 6 May 8 May 10 May 2 May 4 May 6 May 8 May 20 May 
Microsoft Azure | Google Cloud Platform 1-50 of 83 
ACTION STATUS CONTROL RESOURCE RESOURCE TYPE CONNECTOR TRIGGERED BY TRIGGERED ON 
CLV-AWS-ConnectorR 
Stop Instance Success : -05589503333630a2e Instance eee Dae May 13, 2021 4:49 PM 
CLV-AWS-ConnectorR 
Remove IAM Profile Success a -05589503333630a2e Instance See re daha Die May 13, 2021 4:48 PM 
42 CLV-AWS-ConnectorR 
Control Remediation Success i s sg021dc3aab9a807aef Security Group onnectorne= John Doe May 11, 2021 11:41 AM 
Ensure no security gro. 


Actions for AWS resources: 
- Stop Instance: indicates stop instance action was initiated for the AWS resource. 


- Remove IAM Profile: indicates remove IAM profile action was initiated for the AWS 
resource. 


- Control Remediation: indicates Remediate Now button was used to trigger remediation 
of the AWS resource for the specified CID. 
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Remediation Activity: Microsoft Azure 


All the activities that are triggered for Azure resources are listed under Responses > 
Remediation Activity> Microsoft Azure sub-tab. The Action column indicates the type of 
remediation activity initiated for a resource. 


Remediation Activity PCs MME A EET: ami) 


Last30 Days vo = 


Q 


10 May 12 May 14 May 16 May 18 May 


24 Apr 8 May 


20 May 


Amazon Web Services Microsoft Azure Google Cloud Platform 1-50 of 287 >| 
ACTION STATUS CONTROL RESOURCE RESOURCE TYPE CONNECTOR TRIGGERED BY TRIGGERED ON 
eee EESE A a ner Pree m 

a 50029 hk-sanity-50034-2NSG Azure Conne Sig Subse : 

Control Remediation Success Disable RDP access on. /subscriptions/1d7674 Network Security Group John Doe May 18, 2021 10:50 AM 
SEN 50048 SampleQAApp-Saurabh... Azure-CLV-116-Connect... : 

Control Remediation Success Ensure Web app redire /subscriptions/Sde9e0 Web App John Doe May 17, 2021 10:07 AM 
oe 50048 SampleQAApp-Saurabh3 Azure-CLV-116-Connect.. ; 

Control Remediation Error Ensure Web app redire /subscriptions/9de9e0. Web App i John Doe May 17, 2021 10:06 AM 


Action for Azure resources: 


Control Remediation: indicates Remediate Now button was used to trigger remediation of 
the Azure resource for the specified CID. 


Remediation Activity: GCP 


All the activities that are triggered for Azure resources are listed under Responses > 
Remediation Activity> Google Cloud Platform sub-tab. The Action column indicates the 
type of remediation activity initiated for a resource. 


Remediation Activity EEO L EOT S E 


Q 3 @ Last 30 Days v = 
Diani _ | m 
20 Apr 22 Apr 24 Apr 26 Apr 28 Apr 30} 3 May 5:30 AM - 3 May 11:30 PM:8 | 5 May 8 May 10 May 12 May 14 May 16 May 18 May 20 May 
Amazon Web Services Microsoft Azure 1-50 of 56 8 

ACTION STATUS CONTROL RESOURCE RESOURCE TYPE CONNECTOR TRIGGERED BY TRIGGERED ON 
meer Sine ree nee ag pome teuna ps 
52078 CLV-116-GCP-Connect: 

Control Remediation Success . pwaacl-116-sqlserver SQL Server fr onne ctor John Doe May 17, 2021 6:17 PM 
Ensure "cross db owne 

sd 52067 CLV-116-GCP-Connector 
Control Remediation Error Ensure that Cloud SOL. PMG8Ch-116-sqlserver SOL Server John Doe May 17, 2021 5:58 PM 


Action for GCP resources: 


Control Remediation: indicates Remediate Now button was used to trigger remediation of 
the GCP resource for the specified CID. 
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Remediating Cloud Resources 


We provide you widget cards on Monitor tab which provides total evaluations, failures by 
criticality, and the count of failed evaluations that can be fixed through remediation. 
Remediable Evaluations 


With remediation enabled, you can filter out controls with failed evaluations that can be 
remediated. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 2@ei 


Amazon Web Services v 


Q search.. last24Hrs v = 
147 omens OD reer geal B | TNE 
Total Controls Evaluated 14.6K 508 
» 567 
B me HIGH MEDAM tow Failed Evaluations 
POLICY - 1-147 of 147 
A s s4 
46 
35 f a 
12 7 Ensure IAM password policy requires at least one uppercase letter iM 1 1 
1 Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0- 05-23-2018 baa 
2 more 
e Ensure IAM password policy require at least one lowercase letter IAM 1 1 
CONTROL RESULT Baie Gis j ET A SELEN AR ———— 
FAIL 126 atai Resourcer 2 
PASS 21 
9 Ensure IAM password policy requis MoH lAn 
ACCOUNT Policy: CIS Amazon Web Services F 
147 
ue | 10 Ensure IAM password policy requis IAM 1 1 
= Policy : CIS Amazon Web Services e 


Total Evaluations: Count of passed and failed control evaluations. 


Failure by Criticality: Failed Evaluations that are categorized as per failure criticality: High, 
Medium, and Low. 


Remediable: Count of failed evaluations that can be remediated. Click to view the controls 
with failed evaluations that are remediable. 
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The .*|, icon indicates that these controls are available for remediation. Click on one of 
the controls to proceed with Remediation. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 20i 


Amazon Web Services v 


X isRemediable:true and control.result:FAIL Last24Hrs v 


6 TOTAL EVALUATIONS FAILURES BY CRITICALITY REMEDIABLE 
a 508 
B ae me SS Failed Evaluations 

POLICY 1-606 
AWS Best Practic. 4 
CIS Amazon Web 2 
(ae erent s a W | Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 vec 1.56K ss 

Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0- 05-23-2018 
‘CONTROL RESULT Troa 
FAL 6 Fi 
bas a a2 ‘# | Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 vec 146K 158 

Policy : CIS Amazon Web Services Foundations Benchmark v1.20- 05-23-2018 == 
ACCOUNT = 

6 5 | Ensure "Block new public bucket policies" for a bucket is set to true s 
a Policy : AWS Best Practices Policy 

SERVICES 60 ‘ | Ensure that "Block public and cross-account access’ if bucket has public policies for bucket is set to true s 

Policy : AWS Best Practices Policy — 
3 4 
= = 6 y | Ensure that "Block new public ACLs and uploading public objects” for a bucket is set to true. 33 138 75 
ee) y Policy : AWS Best Practices Policy — 


x 
[ 
8 
rs 
3 


ic access granted through public ACLs" for a bucket is set to true 
Policy : AWS Best Practices Policy 


Let us consider an example of CID 60. 


< Control Evaluation: Ensure that "Block public and cross-account access" if bucket has public policies for bucket ... 


CID-60 Ensure that "Block public and cross-account access" if bucket has public policies for bucket is set to true View Less à 
Policy AWS Best Practices Policy Platform: AWS 
Evaluation This control ensures that bucket level public access setting ‘Block public and cross-account access if bucket has public policies'is.. Service. $3 
isRemediable:true and control. result:FAIL Last24Hrs v 
1-50o0f 79 
cf-templates-srir6kom47i4-us-east-2 2 hours ago Evidence = 
cf-templates-srlr6kom47i4-us-west-2 2 hours ago Evidence 
loadbalancertestev-dev fees FAL Evidence 
conffilesdb 2 hours ago Evidence 


Click Remediate Now. 


The Remediation Resource pop-up is displayed. It displays the resources on which action 
is executed as a part of remediation. The action to be executed and the impact of the 
action is also listed. 


For example, if we initiate remediation for resources that have failed for CID 60. The 
“Block public and cross-account access to buckets and objects through any public bucket 
or access point policies" property is enabled for the resource as remediation action. 


As a result, the S3 bucket resource ignores public and cross-account access for buckets or 
access points with policies that grant public access to buckets and objects. Provide a 
comment for remediation.and select the I, <user name>, authorize to execute remediation 
actions on the selected resources check box. 
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Click Remediate. 


The Remediation status is now changed to Queued state. Once the remediation is 
successfully completed, the status of the evaluations changes from FAIL to PASS. 


Note: The Evidence details are updated only after the connector run. The Last 
Remediation Activity tab in Evidence lists the remediation details. 


Actions for Cloud Resources (AWS) 


We provide you with actions that you can execute on instances to quickly fix unknown 
behavior of an instance or vulnerability on an instance. 


Use Case: Search EC2 instance with critical vulnerability having IAM profile associated. 
Action: Stop Instance, Remove IAM Profile 


Benefit: Block instance having critical vulnerability from accessing AWS services or stop 
instance to quarantine it. 


| CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 205 


Amazon Web Services v List View 


instance v | Q Search for resources discovered Last24Hs v = 


448 | 447 304 0 30 


i n 
rel mace Without Agents With Public IP Docker Hosts With Vulnerabilities 


ACCOUNT Resource type: Instance © v 
57. 425 
23 


qualy: 


qualy 
i-0af184900eff7bcab N. Virginia Runnin September 1, 2020 1:23 AM 

REGIONS ciara 9 g 

N. Virginia 242 

= mz 1-01380b1382e9e41db N. Virginia Running September 1, 2020 1:23 AM 

33 nachtani-pod1-r 

2 

2 i-0b896686b3c2ba698 N. California Running August 30, 2020 9:27 PM 

ron_US2_reg3008020 


i-0a1261fc7bb8eb525 N. Virginia Running August 29, 2020 5:00 PM 


kgaurav-pod4-gen29801 


i-06d0e2dda241a8d96 (Ši N. Virginia Stopped August 29, 2020 11:57 AM 


i-Odcfd18bb70bf375d Ohio Stopped August 29, 2020 12:43 AM 
q-DevOps-bastion node 


i-0b9667e98b63ad6f1 Mumbai Running August 28, 2020 8:39 PM 
performance-machine 


You can directly control remediable actions from Qualys for Instance resources. 


We support the following actions for AWS Instance resources: 


Stop Instance 


The Stop Instance action allows you stop an already running instance on AWS cloud. You 
can use the action as an immediate response on a newly detected unknown instance. For 
example, if you operate only in Mumbai region, but instances are detected in North 
Carolina region (where you do not operate). In such cases, the first response action 
towards such unknown instance would be to stop the instance and then troubleshoot it. 


You can now execute actions on such instances from Qualys console. 
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1. Go to Resources > Amazon Web Services > Instance resource type. All the instances in 
your account are listed. The Actions column displays the possible actions. 


Stop Instance 


INSTANCE ACCOUNT ID REGION 


iOaf184900eff7bcab N. Virginia 


Comments * 
Enter Sample comment 
230/250 characters remaining 
1, John Doe. authorize to execute action on the selected resource. 


Click the Stop Instance action. 


Remove IAM Profile 


The Remove IAM profile action allows you disassociate an IAM profile from the instance. 
Removing IAM profile stops access to other AWS resources that may be available through 
the associated IAM role. You can execute the action in following scenarios: 
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Go to Resources > Amazon Web Services > Instance resource type. All the instances in 
your account are listed. The Actions column displays the possible actions. 


Remove IAM Profile 


The AWS services accessed by the instance using IAM profile may not be 
accessible after instance profile is removed. 


“}06d0e2dda241a8d96 N. Virginia 


Comments * 


Sample Comment 


1, John Doe, authorize to execute action on the selected resource. 


Click Remove IAM Profile action. 

The Remove IAM profile pop-up is displayed. 

Specify a comment and select the authorization check box. 
Click Execute Action. 


You can view the history of actions executed on instances. Simply, select the instance, and 
select Show Action Log from the quick action menu. The Action Log displays the list of 
actions executed on the instance. 


Permissions Required 


We have provided permission for remediation. You can choose to enable to disable 
remediation for sub-users. 
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By default, remediation is accessible to all the Manager users. You can assign access to 
sub-users based on their Roles. For a sub user to be able to perform remediation actions, a 
user with Manager role needs to assign the permission to the sub users from the 
Administration utility. 


Role Creation Tum help tips: On | Off x 
Step 2 of 3 Edit permissions for this role 


1 Role Details 


Q Permissions 


Remove 
CloudView 
3 Review And Confirm 


Y CLOUDVIEW Permissions (4 of 4) 


Role Permissions by Modules (5) Remove All 


CLOUDVIEW API Readonly Access 
CLOUDVIEW Readonly Access 
CLOUDVIEW UI Access 


CLOUDVIEW API Access 


Y Manage Remediation Permissions (1 of 1) 


Manage Remediation (Not Applicable for Readonly Permission) 


There are two types of sub users that a user with Manager role can create. Depending on 
the permissions you assign to the role, you could categorize the sub users as follows: 


All privilege: You need to assigns Manage Remediation permission to a sub user with all 
privileges so that the sub user can perform all actions related to remediation. 


Reader privileges: Sub user with Reader role can view remediable controls and connectors 
for which remediation is enabled. The sub user can neither create or edit connectors with 
remediation enable, nor can they execute any remediation actions on any of the 
resources. 
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CloudView APIs 


Many CloudView features are available through REST APIs. You can use Swagger tool to 
access the REST APIs we support. 


Accessing APIs Using Swagger 


Swagger is a widely-adopted specification that allows for programmatically describing 
REST APIs. The Swagger UI provides all the details about the APIs and how to invoke them. 
This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, 
allowable parameters and types, and so on. 


You can directly access the Swagger UI from the following URL: 
http://<QualysURL>/cloudview-api/swagger-ui.html 
For example, if your account is on US Platform 2 


https://qualysguard.qg2.apps.qualys.com/cloudview-api/swagger-ui.html 


t} swagger Authorize | Explore 


Cloudview APIs 


All features of the Cloudview are available through REST APIs. 
Access support information at www.qualys.com/support/ 


Permissions: 

User must have the Cloudview module enabled 
User must have API ACCESS permission 
Created by dev-cloudview@qualys.com 


AWS Evaluations : API's for the AWS Control Evaluations 


Connector : API's for the Connectors 


[ sase ur: /cloudview-api 


API Examples 


You can view examples and details on API usage in our CloudView API User 
Guide. 
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Qualys maintains multiple platforms. The Qualys URL that you should use for API 
requests depends on the platform where your account is located. 


Qualys Platform URLs 


Qualys US Platform 1 https://qualysguard.qualys.com 

Qualys US Platform 2 https://qualysguard.qg2.apps.qualys.com 
Qualys US Platform 3 https://qualysguard.qg3.apps.qualys.com 
Qualys EU Platform 1 https://qualysguard.qualys.eu 

Qualys EU Platform 2 https://qualysapi.qg2.apps.qualys.eu 
Qualys India Platform 1 https://qualysguard.qg1.apps.qualys.in 
Qualys Canada Platform https://qualysapi.qg1.apps.qualys.ca 


Do I need to Authenticate? 


Authentication to the Qualys Cloud Platform is necessary before you try out the APIs. 


Simply, click Authorize and provide the user name and password. You can now use the 
APIs! 
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Securing Infrastructure as Code 


In the current continuous integration and continuous deployment (CICD) environment, 
the scans are conducted on cloud resources after deployment. As a result, you secure the 
cloud resources post deployment. We execute Infrastructure as Code (IaC) Security scan 
for AWS Terraform. With arrival of IaC scan, you can now secure your code (IaC) before it 
gets deployed in the cloud environment. 


The Qualys IaC Security feature will help shifting security and compliance posture of 
cloud security to left, allowing evaluation of cloud resource misconfigurations even before 
actual deployment. Using this feature, cloud infrastructure teams can prevent 
misconfigurations before it really happens. 


The first step towards IaC security is triggering an IaC scan. In the current scenario, the 
scans are executed after the cloud resources are deployed in the cloud environment. As a 
result, fixing of misconfigurations happens post deployment. However, using this feature, 
you can trigger the scan on IaC (configuration file) before the cloud resources are deployed 
in the environment. 


Once you trigger the scan, we will evaluate the configuration file (laC) against pre-defined 
controls. 


IaC scanning works by uploading the template file or zip containing multiple files to 
CloudView, either via our CLI or API. The template is processed, and the response returns a 
scan ID. The returned scan id then can be used to fetch the scan report which provides the 
evaluation results giving you a clear picture of the misconfigurations (if any) that need to 
be fixed to secure your code before the actual deployment. 


You can scan the templates either through CLI commands or using APIs: 


Scanning Template Files Using CLI 


Scanning Template Files Using API 


Template Support 
This Qualys IaC Security version supports following template files: 


- AWS, Azure, and GCP Terraform Templates: The .tf template files - laC Security scan 
supports over 100 terraform resource types. 


- AWS, Azure, and GCP Terraform Plan: The .json plan files - To scan the plan files, you 
need to make those files available in JSON format. Refer 
https://www.terraform.io/docs/internals/json-format.htm] 


- AWS Cloudformation Template: We support the file types:.json, .yaml, .yml, template 


- Compressed Template File Formats: We are supporting following compressed template 
file format: .zip, .7z, tar, tar.gz, .2z 
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Pre-requisites 


Users with a non-expired paid/trial version of Cloud Security Assessment (CSA) 
subscription that has API access enabled. The following users with required permissions 
can access [aC: 


- Auser with Manager access 


- Asub-user with the CLOUDVIEW API Access 


Scanning Template Files Using CLI 


Qualys provides a IaC scanning CLI which can be installed on any machines having 
python3. Qualys IaC Security CLI is based on Python PIP Platform. 


Recommendation: Before you proceed with installation, we are recommend you to create 
a python virtual environment so that other python projects are not hampered. 


We can create a python3 virtual environment using the below commands: 
- MAC/Unix: python3 -m pip install --user virtualenv 
- Windows: py -m pip install --user virtualenv 


Click here for more information and detailed steps. 


Install Qualys laC Security CLI 


Use the following command to install the Qualys IaC through command line interface 
(CLI). 


pip install Qualys-IaC-Security 
Once Qualys IaC Security is installed, you may verify the installation by running the 
following commands. 


$ qiac -v / --version 
Version: <installed version> 


$ qiac -h / --help 
Usage: Show this message and exit. 
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List of Commands 


Common Options 


Description 


-c, --config_file 


(Optional) Path of the credentials config file set using "config" command 


-a, --platform_url 


Qualys Platform URL 


-u, --user 


Qualys username 


-p, --password 


Qualys password 


-m, --format Provides the output in JSON format. [json] 
-X, --proxy Provide proxy in JSON format 
For example,. {\"http\":\"http: 
//<user>:<password>@<host>:<port>\",\"https\""\"https://<host>:<port>\"} 
-h, --help Show this message and exit 
scan 


-n, --Scan name 


required) Name of the scan 


-d, --path required) Single template file or a directory path 

-f, --filter Use regular expression to filter to and include the input files. 
Example: ".*[.]tf$" 
Note: This option must used only when directory path is specified in the 
path option 

-as, --async Launches/Triggers the laC scan asynchronously 

-q, --quiet Show only failed checks 

-g, --tag Add the tag (in JSON format) to the scan 


For example, [{"env":"linux’},{"test_key":"tags"}] 


-S, --Save_output 


(optional) Save the output in the current directory 


getresult 


-i, --scan_id 


Scan ID 


-S, --Save_output 


(optional) Save the output in the current directory 


listscans 


-i, --scan_id 


Scan ID 


config 


-a, --platform_url 


required) Qualys Platform URL 


-u, --user 


required) Qualys username 


-p, --password 


required) Qualys password 


-c, --config_file 


optional) File path to store the configuration 
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Below are some of common scenarios for command usage. Usage of parameters vary 
based on use cases. 


Configure IaC CLI (optional command) 
1: Trigger Scan (add -d) 

2: Get the scan results 

3: Get the whole scan list 


4: Get the scan list of single Scan ID 


Configure laC CLI (optional command) 


(an 


The command configures user's credentials. This command is optional and should be 
used only when a user wants to store Qualys credentials in flat file for subsequent uses. 
Once this file is correctly configured, the user need not provide the Qualys platform URL, 
username, and password details for every CLI command. The authentication details are 
picked from the configuration file. 


The following command collects Qualys credentials and stores it at the home directory 
.giac.yaml). 


qiac config -a <Qualys Platform URL> -u <username> -p <password> 


Note: The parameters: Qualys Platform URL, username, and password are mandatory 
for this command. 


config file : name or path of the config file 


where, 
name: if the name is provided, then a config file with the specified name is created. 


path: if the path is provided, then the config file is created at the specified path with the 
default name. The default name is .giac.yaml. 


This command saves the config file on the user's home directory with the name 
.giac.yaml. If a user doesn't want to save the config file in the home directory, the user can 
use the config_file option to provide the config file path. The config_file option saves the 
file at the specified path. 


A user can use the config file using below ways: 
- Use Config file from home directory: 


qiac <commands|params> 


Securing Infrastructure as Code 
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- User Config file from custom directory: 


qiac <commands|params> -c <location of config file> 


where, 
the commands could be scan, getresults, listscans. 


Note: If the user does not provide credentials in command options, then CLI checks for the 
config file in the current directory. If the config file is not present in the current directory, 
then CLI checks the user's home directory. 


1: Trigger Scan (add -d) 


The command uploads scan artifacts (-d) to Qualys platform, generate scan Id and return 
as an output. You may/may not want to add password parameter in CLI. 


- With password (add -p) 


qiac scan -a <Qualys Platform URL> -u <username> -p <password> -n 
<scan name> -d <path or single file> 
- Without password (remove -p) 


qiac scan -a <Qualys Platform URL> -u <username> -n <scan name> -d 
<path or single file> 

- With config file option (add -d: single file option) 
qiac scan -n <scan name> -c <Path of the config file> -d <path or 
single file> 

- With config file option (add -d: multiple file option) 
qiac scan -n <name of the scan> -c < Path of the config file > -d 
<pathl to a file or directory> -d <path2 to a file or directory> - 
d <path3 to a file or directory> 

- With save output option (-s) 


qiac scan -n <scan name> -c <Path of the config file> -d <path or 
single file> -m <file format:JSON> -s 


Note: Ensure that you always use file format option (-m JSON) along with -s option. The 
option -s saves the scan output in the current directory in JSON format. The file name is 
as follows: 


scan_response_<scanId>.json 


2: Get the scan results 


The command returns IaC scan result for the provided scan id (-1) in a default tabular 
format. 


qiac getresult -a <Qualys Platform URL> -u <username> -p 
<password> -i <scan id> 


with config file option 
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qiac getresult -c <Path of the config file> -c <Path of the config 
file> 


3: Get the whole scan list 
The command returns list of all the IaC scans. 


qiac listscans -a <Qualys Platform URL> -u <username> -p 
<password> 


with config file option 
qiac listscans -c <Path of the config file> 

4: Get the scan list of single Scan ID 

The command returns single IaC scan as per the scan Id you provide. 
qiac listscans -a <Qualys Platform URL> -u <username> -p 
<password> -i <scan id> 

with config file option 


giac listscans -c <Path of the config file> -i <scan id> 


Understanding Scan Output 


In command line interface (CLI), the output is defaulted to tabular display. CLI can output 
JSON response with additional input parameter for format. 


For details on elements in JSON output format, refer to Secure IaC section in CloudView 
API User Guide. 


Scanning Template Files Using API 


Qualys has introduced new API to launch the IaC scan and fetch the scan results and scan 
lists. 


1) Trigger IaC Scan (POST) 
2) Get Scan Results (GET) 
3) Get List of Scans (GET) 


For complete details, refer to Secure IaC section in CloudView API User Guide. 
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What’s more in CloudView 


We also provide you with many more quick features such as downloading data in CSV 
format, saving your search queries, using date filters. 

Automatic Connector Creation 

We have built few scripts that could ease tasks for you in CloudView. 


-Connector Creation: There are various scripts you could use to automate connector 
creation task. 


-Export to Splunk: Use CloudView_Splunk_Scripted_Inputs to integrate CloudView via 
python scripted inputs into Splunk Enterprise. 


-Alerting data: You could use slack_cloudview_alerts to integrate CloudView Assessment 
data into Slack for alerting. 


You could automate few steps using the scripts we provide. For complete details and list of 
scripts, click here. 


Role-based Access Management 


Qualys CloudView is subject to Role-Based Access Control. Users are granted access to 
features and functions based on Roles. These Roles are a consolidate of fine grained 
Permissions. 


A set of Permissions are grouped together as a Role. A User is assigned one, or more, Roles. 
The sum of the Permissions that are granted a User represent all the rights to access 
features and functions that a User has. 


You can: 

-Block or provide UI access to CloudView module 

-Provide UI access to CloudView module with restricted permissions (read-only user) 
-Provide full UI access to CloudView module with all permissions 


Permissions: Only users with access to Administration module can create sub-users with 
reader role. 


Tell me the difference between sub user roles 


There are two types of sub users that a user with Manager role can create. Depending on 
the permissions you assign to the role, you could categorize the sub users as follows: 


All privilege: Sub User will have all the privileges in CloudView except creating and 
managing other users. 


Reader privileges: Sub User with Reader role can only view the data displayed in 
CloudView module. 
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How do | manage access for sub users? 
There are two options you could configure access for sub users 


- Direct scope definition for sub user 


When you define scope for a sub user, you could directly select the connectors for every 
Cloud Provider and associate it with the sub user. The sub user can then access all the 
connectors defined in the scope for the sub user. 


In the Access Management tab, select the user and select Manage Access from the quick 
action menu. Click Add Accounts link for the specific Cloud Provider and then select the 
connector, and click Save. 


You can select multiple connectors from multiple cloud providers as well. 


For AWS, you can select connector and region as well. 


< Access Details: quays_am56 


Access Details 


quays_am56 
Assign the connectors and regions to define the scope for quays_am56. A 


Groups User Details 


Manage the access based on groups ID 150271705 


Username quays_am56 
There are no Groups selected 


Email 


Modules as 


Role Details 


Connectors and Regions 


Manage the access for each cloud provider by assigning connectors or regions 


CLOUDVIEW U CLOUDVIEW.ACCESS 


aws Amazon Web Services 
~a 


Manage AWS access by accounts and regions LOUDVIEW.UI-ACCESS 


There are no Accounts or Regions selected 


- Using groups 
Use connector groups to configure connector access for a sub user. 


By default, the sub user can access all connectors as no group is assigned to any user. 
Assign group to user to provide access or restrict access to connectors associated with the 
group. 


Navigate to Configuration tab and then the Cloud Provider (AWS, Azure, or GCP) for which 
you would want to create connector groups. 


Choose the connector for which you want to configure access and click Assign Group from 
the quick action menu. 
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Type a name for the group and click Create and then click Save. 


Manage access for AWS 


Assign Connector or Region to the user to define what the user can manage 


rs (Accounts 


AWS v 
Regions 

Mumbai X 

— | 


How to change default behavior for sub users with all privileges? 


A sub user with all privileges is able to perform all functions and access all connectors by 
default. If you want to restrict the access to single connector, simply create connector 
group and assign it to the sub user. The sub user can then access only the single connector 
associated with the assigned group. 


To configure access to multiple connectors, assign a common group to all such connectors 
and associate it with the required users. 


Tell me about GroupBy option 


To view the list of connectors grouped together for a single cloud provider, simply click the 
Group by option. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Configuration CLS etme Google Cloud Platform [Cet en Cur paras 


Q Search... 


Group by: Group Name © v 


GROUP NAME CONNECTORS COUNT 


RBAC2 1 


PolicyGroup 1 


Alternatively, you could use search token. 
group.name: <groupname> 


and the search result lists all the connectors for a cloud provider associated with the 
group. 
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Tell me Scope and Access Conflicts 


Consider a sub user whose direct scope definition conflicts with the access assigned 
through groups. In such cases, the scope overrides and the sub user is able to access the 
connectors defined directly through the scope of the user. 


Let us consider two different examples to understand the conflicts better. 


Case 1: A sub user is assigned a group named AWS_important that includes access to two 
AWS connectors. Also, the sub user has been directly assigned access to five other AWS 
connectors. In such case, the sub user is able to access all the seven connectors. 


Case 2: A sub user is assigned a group that includes none of the connectors. In such case, 
the sub user cannot access any connector. 


However, if the same sub user is directly assigned connectors through scope definition, 
the sub user can access the connectors that are directly assigned. 


Download Datalist 


By downloading datalist to your local system you can easily manage the list outside of the 
Qualys platform and share them with other users. You can download results in CSV 
format. 


(an 


The datalist that is available for download includes resources (grouped view and resource 
view), controls, control evaluations, and connectors list. 

The download is limited to 10,000 records. 

1) Use our search to narrow down your results. 


2) Select Download from the Tools menu. 


CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


De 
© 
id 


PNR EA List View 


Last24Hrs v 


region:"N. Virginia” and account. id: "qualys-dev-cv360(: 


110 


Total Security Groups 


ype: Security Group © v 1-50 of 110 : : 


sg-d31¢c2ea1 vpe-b562d6cd N. Virginia January 22, 2020 i 
default 10:18 PM 


NO REMAINING FILTERS 


sg-c5afe9b7 vpc-e1e73d99 N. Virginia January 22, 2020 1 
Mysql-sec-grp 10:18 PM 


sg-f3200cb‘ vpe-ceacefb7 N. Virginia January 22, 2020 0 
taunch-wizard-21 10:18 PM 


sg-dfa9fbad vpc-e1e73d99 N. Virginia January 22, 2020 1 
restrict-all-traffic 10:18 PM 


3) Click Download. That's it! 
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Select the Change timezones for dates 
Download formats included in a report checkbox and select 
the required timezone to convert the dates 
in the CSV report to the desired timezone. 


=] 


[v 


[¥] Change timezones for dates included in report 


(GMT 05:30) India Standard Time (IST Asia/Colombo) 


Cancel (| Download } © 
SE 


Choosing Data Range 


Narrow down your search results for controls using our new date filter. The new date filter 
provides 8 options: Today, Yesterday, Last 7 days, Last 30 days, Last 90 days, This Month, 
Last Month, and Specific range. Depending on the date option you choose, the search 
results displays controls that are evaluated within the chosen date range. 


Go to Monitor tab, type your search query in the search pane and then choose the date 
filter to further filter your search results. 


CloudView DASHBOARD RESOURCES MONITOR POLICIES REPORTS CONFIGURATION 


Amazon Web Services v 


policy.name:"AWS Best Practices Policy” and service.type:”RDS” Last 90 Days 


6 EVALUATIONS SECURITY POSTURE FAILURES BY CRITICALITY Today 


Total Controls Evaluated 320 157 163 


Total Evaluations Fail 


Yesterday 


Last 7 Days 


High Medi 
Last 30 Days 


CONTROL RESULT 1, test 90 Days 


FAIL 6 This Month 
aa : | Last Month 
51 Ensure that Public Accessibility is set to No for Database Instances RDS 
CONTROL CRITICALITY Policy : AWS Best Practices Policy 
MEDIUM 3 
HIGH 2 52 Ensure DB snapshot is not publicly visible RDS 116 1 
Low 1 Policy : AWS Best Practices Policy ‘Tod fescue: 197 
53 Ensure Encryption is enabled for the database Instance RDS 7 13 
—= 
Policy : AWS Best Practices Policy Total Resources: 20 
54 Ensure database Instance snapshot is encrypted RDS 12 1 
Policy : AWS Best Practices Policy Total Resources 
55 Ensure auto minor version upgrade is enabled for a Database Instance RDS 13 7 
Policy : AWS Best Practices Policy Total Resources: 20 
56 Ensure database Instance is not listening on to a standard/default port Giwa RDS 4 16 


Policy : AWS Best Practices Policy ‘Total Resources 20 


Saved Search 


You can easily save your searches for reuse and share them with other users. 
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Enter your search query and then click Save this Search Query. 


CloudView v DASHBOARD RESOURCES MONITOR POLICIES REPORTS CONFIGURATION , Ow 


Amazon Web Service w 


X resource.type: "Subnet" <——— 
e Recent Searches > 
94 @ Type your Query e 
eae sare 4 Click Save this Z 


Last30Days Y 


- .— Search Query ___LosdiMiifape Saved Searches 
g t analea Sst Jan 79th Feb 
ACCOUNT Resource type: Subnet © v seve i 
aues ae SUBNET ID ACCOUNT ID REGION AVAILABILITY ZONE ‘VPC ID FIRST DISCOVERED ON 


Give your search a title. 


Save Search 
Provide a title 
Title and click Save 
Search_name 
Save Cancel 


Choose Load/manage Saved Searches to use one of the searches you previously saved. 


Saved Searches 


Please click to pick a saved search. 


Subnet_resource_search 


Subnet_region_search 


subnet_specific_account 


Delete any saved search you're no longer interested in. 


Saved Searches 


Select the search 
Please click to pick a saved search. and click to delete 
the saved search. 


Subnet_resource_search 
Subnet_region_search 


subnet_specific_account 


Close 
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Customize Dashboards 


Dashboards help you visualize your assets. You can add widgets with search queries to see 
exactly what you're interested in. You can also export and import Dashboard and Widget 
configurations, from the Tools menu, to a file in a json format allowing you to share them 
between accounts or within the Qualys community. 


Each dashboard is a collection of widgets showing resource data of interest. You can 
create multiple dashboards and switch between them. 


You can personalize the default dashboard - add widgets, resize them, move them around 
to change the layout. Use the menu to manage your dashboards. 


How to Take Action 


Here's a quick look at your dashboard options. : 


Take actions on the entire dashboard set the default, create SS) 


dashboard, change layout, delete, print, export dashboard, import eo? 
dashboard and import widget. 1h 


Tools menu | 


Take actions on a single widget: edit widget, delete widget, refresh 
widget data, create template from widget, export widget. ‘OP 10) ; 


Widget menu 


Adding custom widgets 
1) Start by clicking the Add Widget button on your dashboard. 


2) Pick one of our templates: CV pane has five default templates to choose from - or 
choose Custom pane to create your own widget. Let us consider an example of creating 
customized bar widget for Azure resources. 


< Add Widget to Dashboard 


TEMPLATES 
cv 5 Widget Templates 
Gn a) Select the template you would like to add to your dashboard. Application based templates are widgets that are 
configured by the system to provide you with the essential data you need to monitor. 
© CUSTOM TEMPLATE Choose type of Top processes 
Choose Bar Chart template for the 


CV or Custom Customize Widget 
Customizable bar chart allowing to view differences at a glance | 


CUSTOM TEMPLATE 


CUSTOM COUNT 


Custom Count 
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What’s more in CloudView 
Customize Dashboards 


3) Each widget is unique. Define your custom settings. For some you'll select query data 
source, a query, group by option, limit and layout - count, table, bar graph, pie chart. 


< Add Widget to Dashboard 


Customize data widget ; 6 Preview 
Choose widget type 
Widget Type À @ Resource Group: 161 
Fa ses © Virtual Network: 124 
1K 5 f SE d E Network Security Group: 291 
nl G s @ SOL Server Database: 16 
Count Table Column Pie @ Virtual Machine: 199 
161 
Bar Chart: Customizable bar chart allowing to view differences at a glance. ii 
QUERY DATA SOURCE: Choose data source O 
from the drop-down 16 
estt = 
Azure Resource oaiit Resource pimal Network So, ical 


FRIENDLY NAME FOR THIS WIDGET Provide a name (c) 


Custom Widget Example 


Set widget preferences 


@ Vertical Columns [Z] Show Legend 


QUERY FOR THE DATA IN WIDGET: © Resource.type... w tetas [Z] Show Labels 


resource.type:SQL Server Database 4"*******., g 


Type your query using 


Test and Preview pre-defined tokens 


a - Choose widget type: Count, Table, Column, Pie 

b - Choose data source from the dropdown. For example: Azure Resources. 
c - Provide a name for your widget. 

d - Choose the resource type 

e - Type your search query using pre-defined tokens. 

The Preview pane displays the preview of your widget. 


4) Click Add to Dashboard to view the widget in the dashboard. You could view the 
preview of the widget using the Test and Preview button. 


From the Actions menu on the dashboard, you can also import and export widget 
configurations to a file in a json format, allowing you to share the widgets between 
accounts or within the Qualys community. 
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Resizing and layout. 


Resize any widget horizontally, drag & drop widgets to 
change the layout. Refresh your view. 


1) Click the Tools icon on your dashboard. 
2) Select Edit Dashboard Layout 


3) Adjust the width for any widget or drag the widget 
to a new location. 


4) Click OK to save your changes. 


Refresh your view 


What’s more in CloudView 
Customize Dashboards 


Set as Default Dashboard 


ct 


Edit Dashboard à 


Edit Dashboard Layout 


Create New Dashboard 


Create Template from this Dashboard 
Delete Dashboard 
Print Dashboard 


Export this Dashboard 
Import New Dashboard 


Import New Widget X 


You might want to see the latest data for a particular widget. Select the widget menu and 


choose Refresh. 


To refresh all widgets in one go, choose the Refresh Dashboard option from the Tools 
menu and all the widgets on the dashboard will be refreshed. 


Configure number of Resources, Controls 


You might also want to choose the number of resources or controls displayed in your Live 
Feed widget. You can choose to display: Top 10, Top 5, or Top 3 failed controls or resources. 
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Appendix: List of Policies and Controls 


Appendix: List of Policies and Controls 


CloudView continuously discovers resources and ensures resources are compliant in 
relation to respective Benchmark & Best Practices policy provided out-of-the-box. 


The Policies tab lists the policies we currently support. 


AWS 
CIS Amazon Web Services Foundations Benchmark 


AWS Best Practices Policy 
AWS Lambda Best Practices Policy 


AWS Database Service Best Practices Policy 


Azure 
CIS Microsoft Azure Foundations Benchmark 


Azure Best Practices Policy 
Azure Function App Best Practices Policy 


Azure Database Service Best Practices Policy 


GCP 
CIS Google Cloud Platform Foundation Benchmark 


GCP Best Practices Policy 
GCP Cloud Functions Best Practices Policy 
GCP Cloud SQL Best Practices Policy 


GCP Kubernetes Engine Best Practices Policy 
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AWS Policies 


Let us view all the policies and associated controls for AWS. 


CIS Amazon Web Services Foundations Benchmark 
We support controls for following AWS resources: 

Identity and Access Management (IAM) 

CloudTrail 

VPC 

Config 

Network ACLs 

S3 Bucket 

RDS 

IAM User 


Identity and Access Management (IAM) 
console password 


D 2: Ensure console credentials unused for 90 days or greater are disabled 


D 4: Ensure access key1 is rotated every 90 days or less 


D 5: Ensure access key2 is rotated every 90 days or less 

: Ensure IAM password policy requires minimum length of 14 or greater 
: Ensure IAM password policy prevents password reuse 

: Ensure no root account access key exists 

: Ensure MFA is enabled for the root account 

: Ensure hardware MFA is enabled for the root account 

: Avoid the use of the root account 


: Ensure rotation for customer created CMKs is enabled 


AN O A O-O A O A AQA OG. O O A 
J 
O A © Am Rf eB 


D 160: Ensure that IAM Access analyzer is enabled 


Ox 30) 
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AWS Policies 


CID 1: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a 


19: Ensure a support role has been created to manage incidents with AWS Support 
D 50: Ensure IAM policies that allow full administrative privileges are not created 


D 68: Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed: 
his control needs current date to evaluate. Not supported in current framework. 


D 171: Ensure there is only one active access key available for any single IAM user 


Appendix: List of Policies and Controls 
AWS Policies 


CID 175: Ensure no Inline Policies are attached to IAM Users directly 


CID 176: Ensure no Managed Policies are attached to IAM Users directly 


CID 199: Ensure not to setup access keys during initial user setup for all IAM users that 
have a console password except for the master account 


CloudTrail 
D 19: Ens 


C 

CID 20: Ens 
CID 21: Ens 
CID 22: Ens 
CID 24: Ens 
CID 25: Ens 
CID 27: Ens 
C 

MFA 

CID 29: Ens 
CID 30: Ens 
CID 31: Ens 
CID 32: Ens 


— 


A 


authentication failures 


CID 33: Ens 


customer created CMKs 


CID 34: Ens 
CID 35: Ens 
CID 36: Ens 
CID 37: Ens 
Li 


D 38: Ens 
D 39: Ens 
D 40: Ens 


ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


ists (NACL) 
ure a log metric filter and 


ure a log metric filter and 


ure a log metric filter and 


alarm ex 


alarm exi 


alarm ex 


alarm ex 


alarm exi 


alarm exi 
alarm exi 


alarm exi 


alarm ex 


alarm exi 


alarm exi 


alarm ex 
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ure CloudTrail is enabled in all regions 

ure CloudTrail log file validation is enabled 

ure the S3 bucket CloudTrail logs to is not publicly accessible 

ure CloudTrail trails are integrated with CloudWatch Logs 

ure S3 bucket access logging is enabled on the CloudTrail S3 bucket 
ure CloudTrail logs are encrypted at rest using KMS CMKs 

ure a log metric filter and alarm exist for unauthorized API calls 


D 28: Ensure a log metric filter and alarm exist for Management Console sign-in without 


ist for usage of "root" account 


st for IAM policy changes 


ist for CloudTrail configuration changes 


ist for AWS Management Console 


n 
ct 


for disabling or scheduled deletion of 


st for S3 bucket policy changes 


st for AWS Config configuration changes 


n 
cot 


for security group changes 


ist for changes to Network Access Control 


st for changes to network gateways 


n 
ct 


for route table changes 


ist for VPC changes 


@ 
Cc 
G 
CID 172: Ensure a log metric filter and alarm exists for AWS Organizations changes 
V 
CID 41: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 

C 


D 42: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 
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D 43: Ensure VPC flow logging is enabled in all VPCs 


D 44: Ensure the default security group of every VPC restricts all traffic 


onfig 
D 23: Ensure AWS Config is enabled in all regions 


zZz QAQA A A 


etwork ACLs 
D 161: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 22 


D 170: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to port 3389 


3 Bucket 
D 59: Ensure “Block new public bucket policies" for a bucket is set to true. 


A OUN A A 


D 60: Ensure that “Block public and cross-account access" if bucket has public policies 
for bucket is set to true. 


CID 61: Ensure that “Block new public ACLs and uploading public objects" for a bucket is 
set to true. 


CID 62: Ensure that “Remove public access granted through public ACLs" for a bucket is set 
to true 


D 177: Ensure that Object-level logging for write events is enabled for S3 bucket 


€ 
CID 178: Ensure that Object-level logging for read events is enabled for S3 bucket 
CID 255: Ensure MFA Delete is enabled on S3 buckets 

R 


DS 
CID 53: Ensure Encryption is enabled for the database Instance 


IAM User 


CID 199: Ensure not to setup access keys during initial user setup for all IAM users that 
have a console password except for the master account 


AWS Best Practices Policy 

We support controls for following AWS resources: 
IAM 

S3 Controls 

EC2 Images 

EBS Volumes 

KMS Key 

KMS Key Store 


Load Balancers 
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EFS 

Redis 

Memcached 

ES Domain 

Route 53 

FireHose 

KMS 

Directory 
Workspace 

Transit gateway 
Rest API Gateway 
EMR 

ACM 

Config 

Step Function 
CloudWatch Log Group 
SNS Topic 

SOS Queue 
System Manager 
Security Group 
SageMaker Notebook 
ECR Images 

ECR Repository 
ECS Cluster 
MSK_CLUSTER 
Network Load Balancer 
CloudFront 

MQ Broker 

Global Accelerator 
CodeBuild 

Athena Workgroup 
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DMS Replication 
VPC Endpoints 
Cloud Formation Stack 
Secrets 

Auto Scaling Group 
Backup Vaults 
Glacier Vault 

SQS Queue 
Network ACL 
DynamoDB Table 
Route 53 Record 
EC2 Instance 

EG? 

Transfer Server 


IAM 
D 3: Ensure access keys unused for 90 


3 Controls 


D 48: Ensure versioning is enabled for 


D 63: Ensure 'Block new public bucket 


for an AWS Account is set to true. 


D 7: Ensure IAM password policy requi 
D 8: Ensure IAM password policy requi 


D 9: Ensure IAM password policy requi 


D 13: Ensure IAM password policy expl 


C 
C 
g 
C 
G 
G 
G 
CID 17: Ensure IAM policies are attached only to groups or roles 
S 
G 
C 
C 
C 
C 
C 
C 
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days or greater are disabled 


D 6: Ensure IAM Password Policy is Enabled 


res at least one uppercase letter 
re at least one lowercase letter 


re at least one symbol 


D 10: Ensure IAM password policy require at least one number 


res passwords within 90 days or less 


D 45: S3 Bucket Access Control List Grant Access to Everyone or Authenticated Users 
D 46: Ensure S3 Bucket Policy does not allow anonymous (public) access to S3 bucket 


D 47: Ensure access logging is enabled for S3 buckets 


S3 buckets 


D 57: Ensure that bucket policy enforces encryption in transit 


policies' for an AWS Account is set to true. 


D 64: Ensure 'Block public and cross-account access to buckets that have public policies' 
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CID 65: Ensure 'Block new public ACLs and uploading public objects' for an account is set 
to true. 


CID 66: Ensure ‘Remove public access granted through public ACLs' for an account is set to 
true. 


CID 67: Ensure Server Side Encryption (SSE) is enabled for S3 bucket. 
EC2 Images 

CID 114: Ensure Images (AMIs) owned by an AWS account are not public 
CID 126: Ensure AMIs owned by an AWS account are encrypted 

EBS Volumes 
CID 115: Ensure that EBS Volumes attached to EC2 instances are encrypted 
CID 116: Ensure that Unattached EBS Volumes are encrypted 

C : Ensure AWS EBS Volume snapshots are encrypted 

G 
G 
C 
C 


: Ensure CMK is used to encrypt data at rest for EFS 


: Ensure that AWS Elastic Block Store (EBS) volume snapshots are not public 


D 203: Ensure EBS volumes are encrypted with customer managed master keys 


D 204: Ensure AWS EBS Volume snapshots are encrypted with customer managed 
master keys 


KMS Key 

D 58: Ensure that the key expiry is set for CMKs with external key material. 
D 119: Ensure no AWS Managed CMKs is present 

D 120: Ensure no CMK is marked for deletion 


D 121: Ensure only Root user of the AWS Account should be allowed full access on the 


C 
G 
C 
G 
CMK 
C 


D 122: Permissions to delete key is not granted to any Principal other than the Root user 
of AWS Account 


CID 123: Ensure CMK administrators are not the user of the key 


KMS Key Store 
CID 124: Ensure all Custom key stores are connected to their CloudHSM clusters 


oad Balancers 
D 128: Ensure access log is enabled for Elastic load balancer 


D 130: Ensure Classic Elastic load balancer is not using unencrypted protocol 


L 
G 
CID 129: Ensure access log is enabled for Classic Elastic load balancer 
C 
C 


D 131: Ensure Elastic load balancer listener is not using unencrypted protocol 
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D195: 
D 245: 
D 246: 


D 247: En 


D 248: Ens 
assthrough 


D 249: Ens 
D 338: Ens 
D 351: Ens 


D 354: Ens 
D 360: Ens 
D 367: Ens 
D 369: Ens 


OO) “GY “GY “Or O’s “CY QQ) T e FQ. "OQ: “OX OE). “Ole Or LOO CY “Ay + @) 


D 395: Ens 
sing Elastic 


D 403: Ens 


D 144: Ens 
D 252: Ens 


Redis 
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ure there are no Internet facing Application load balancers 


ure ALB using listener type HTTPS must have SSL Security Policy 


ure that ALB using listener type HTTP must be redirected to HTTPS 


ure that ALB listeners have HTTPS enabled Target Groups 

ure that NLB balancer listener is not using unencrypted protocol 

ure that Classic Elastic load balancer is not internet facing 

ure Classic Elastic Load balancer must have SSL Security Policy 

ure there are no Internet facing Network load balancers 

ure NLB using listener type TLS must have SSL Security Policy 

ure that NLB listeners using TLS have TLS enabled Target Groups configured 


ure that NLB listeners using default insecure ports are not configured for 


ure AWS NLB logging is enabled 
ure that load balancer is using TLS 1.2 


ure that Elastic Load Balancer(s) uses SSL certificates provided by AWS 


ertificate Manager 


ure that ALB drops HTTP headers 
ure that ELB is cross-zone-load-balancing enabled 
ure that Load Balancer has deletion protection enabled 


ure that Load Balancer (Network/Gateway) has cross-zone load balancing 
ure that auto Scaling groups that are associated with a load balancer, are 


Load Balancing health checks 
ure public-facing ALB are protected by WAF 


ure EFS Encryption is enabled for data at rest 


ure to encrypt the data in transit when using NFS between the client and EFS 


CID 148: Ensure that AWS ElastiCache Redis clusters are not associated with default VPC 


CID 149: Ensure that AWS ElastiCache redis clusters are not using their default endpoint 


ports 


CID 151: Ensure AWS ElastiCache Redis cluster with MultiAZ Automatic Failover feature is 
set to enabled 
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D 152: Ens 
D 153: Ens 
D 154: Ens 
D 155: Ens 


zZ O O OA 


emcached 


D 147: Ens 
efault VPC 


D 150: Ens 


A an 
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ure AWS ElastiCache Redis cluster with Redis AUTH feature is enabled 
ure that AWS Elasti 
ure that AWS Elasti 


Cache Redis clusters are In-Transit encrypted 
Cache Redis clusters are Data At-Rest encrypted 
ure that AWS ElastiCache Redis clusters are Data At-Rest encrypted with CMK 


ure that AWS ElastiCache Memcached clusters are not associated with 


ure that AWS ElastiCache memcached clusters are not using their default 


endpoint ports 


ES Domain 


aM 


omains 

D 157: Ens 
ishing sl 
D 158: Ens 
D 159: Ens 


z 
g, 


MaAQaTT A 


l 
D 285: Ens 
D 326: Ens 


D 156: Ensure node-to-node encryption feature is enabled for AWS Elasticsearch Service 


ure AWS Elasticsearch Service domains have enabled the support for 
ow logs to AWS CloudWatch Logs 


ure AWS Elasticsearch Service domains are not publicly accessible 
ure AWS Elasticsearch Service domains are using the latest version of 


asticsearch engine 


ure all data stored in the Elasticsearch is securely encrypted at rest 


ure Elasticsearch Domain enforces HTTPS 


D 359: Ens 
oute S3 

D 162: Ens 
D 163: Ens 
D 164: Ens 


Cy AO SOY A OO)» A 


FireHose 
CID 165: Ens 


CID 166: Ens 


CID 167: Ens 


ure that Elasticsearch is configured inside a VPC 
ure AWS Route 53 Registered domain has Transfer lock enabled 
ure AWS Route 53 Registered domain has Auto renew Enabled 


ure AWS Route 53 Registered domain is not expired 


ure AWS Kinesis Data Firehose delivery stream with Direct PUT and other 


sources as source has Server-side encryption configured 


ure AWS Kinesis Data Firehose delivery stream with Kinesis Data stream as 


source has Server-side encryption configured 


ure AWS Kinesis Data Firehose delivery stream with Direct PUT and other 


sources as source has Server-side encryption configured with KMS Customer Managed 


Keys 


KMS 


CID 174: Ensure that Customer managed KMS keys use external key material 
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Directory 


A AC Oy A SG VO OCs D (Oe Or GG G O Oe D rs GQ) 


D 188: 
D 205: 
D 208: 
D 209: 
D 210: 


Ens 
Ens 
Ens 
Ens 
Ens 
D 211: 
D 212: 


Ens 


Ens 


irectories 


D 213: Ens 


irectories 


D 214: Ens 
D 215: Ens 
D 216: Ens 


irectories 


D 217: Ens 
rectories 


D 218: Ens 


irectories 


D 221: Ens 
D 222: Ens 
D 223: Ens 
D 224: Ens 


Workspace 


G 
G 
G 


C 


C 


D 179: Ens 
D 181: Ens 
D 197: Ens 


D 225: Ens 


regions 


D 226: Ens 


regions 
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ure IncreaseVolumeSize is Disabled for Workspace directories in all regions 
ure "RestartWorkspace" is Enabled in all the regions 

ure WorkDocs is not enabled in Workspace Directories 

ure Access to Internet Access is not enabled in Workspace Directories 

ure Local Administrator setting is not enabled in Workspace Directories 

ure Maintenance Mode is not enabled in Workspace Directories 

ure Devi 


ce Type Windows Access Control is not enabled in Workspace 


m 


ure Device Type MacOS Access Control is not enabled in Workspace 


ure Device Type Web Access Control is not enabled in Workspace Directories 


ure Device Type iOS Access Control is not enabled in Workspace Directories 


ure Device Type Android Access Control is not enabled in Workspace 


ure Device Type ChromeOS Access Control is not enabled in Workspace 


mm 


ype ZeroClient Access Control is not enabled in Workspace 


ure Devi 


ure ChangeComputeType is Disabled in all regions for Workspace Directories 
ure SwitchRunningMode is Disabled in all regions for Workspace Directories 
ure RebuildWorkspace is Disabled in all regions for Workspace Directories 


ure only AD Connector directory type is allowed for AWS Directories 


ure MFA is enabled in AWS Directory 
ure proper protocol is configured for Radius server in AWS Directory 


ure to encrypt the Volumes (Root and User) with the customer managed 


master keys in the same account and the region 


ure to enable the encryption of the Root volumes for Workspaces in all 


ure to enable the encryption of the User volumes for Workspaces in all 


Transit gateway 


CID 228: Ensure to disable default route table association for Transit Gateways in all 
regions 
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CID 229: Ensure to disable default route table propagation for Transit Gateways in all 
regions 


Rest API Gateway 


G 


C 
G 


C 
G 
C 


D 227: Ens 
endpoints in all regions 


D 242: Ens 


D 244: Ens 
for Rest API Stage in all regions 


D 243: 


Ens 


D 318: Ens 
D 388: Ens 


ure Amazon API Gateway APIs are only accessible through private API 


ure logging is not set to OFF for Rest APIs Stage in all regions 


ure accessLogSettings exists with the destinationArn and in the json format 


ure to enable encryption if caching is enabled for Rest API Stage in all regions 


ure API Gateway has X-Ray Tracing enabled 


ure API Gateway stage have logging level defined as appropriate and have 


metrics enabled 


E 
C 


MR 


D 234: Ens 
configuration 


D235; 
D237: 
D 385: 
D 342: 


Ens 
Ens 
Ens 


Ens 


: Ens 
: Ens 
: Ens 


: Ens 


: Ens 
: Ens 


D 233: 
onfig records 


Ens 


ure to configure certificate provider type to custom in EMR security 


ure to enable data in transit encryption for EMR security configurations 
ure termination protection is enabled for EMR Clusters 
ure that EMR Cluster security configuration encryption is using SSE-KMS 


ure that EMR clusters with Kerberos have Kerberos Realm set 


ure ACM uses imported certificates only and does not create/issue certificates 
ure expired certificates are removed from AWS ACM 
ure ACM certificates should not have domain with wildcard(*) 


ure that the certificate use appropriate algorithms and Key size 


ure to enable config for the all resources for Config Service 
ure to enable config for the global resources like IAM for Config Service 


ure to configure s3 buckets which contains details for the resources that 


ure to configure data retention period for the configuration items for Config 


Step Function 


CID 200: Ensure to log state machine's execution history to CloudWatch Logs 
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CloudWatch Log Group 


G 
C 
S 
G 
G 
C 
G 


D 373: Ens 
D 313: Ens 
NS Topic 

D 290: Ens 
D 182: Ens 
D 183: Ens 
D 383: Ens 


ure to encrypt cloudwatch log groups 


ure CloudWatch Log Group has a retention period set to 7 days or greater 


ure SNS 1 
ure SNS 1 


Topics have encryption at rest enabled 


Topics do not Allow ‘Everyone’ to Publish 


ure SNS Topics do not Allow ‘Everyone’ to Subscribe 


ure SNS topic policy is not public by only allowing specific services or 


principals to access it 


S 
G 
S 
@ 
S 


C 
S 
G 
E 
G 
E 


G 
G 
E 
E 


C 
C 
N 


g 
M 
G 
N 
C 


QS Queue 
D 291: Ens 


ystem Man 
D 236: Ens 


D 196: Ens 


D 288: Ens 
D 347: Ens 


D 334: Ens 


CR Images 
D 377: Ens 


D 358: Ens 
D 305: Ens 
D 293: Ens 


CS Cluster 
D 312: Ens 


D 324: Ens 


D 202: Ens 


ure SNS Queue have encryption at rest enabled 


ager 
ure that all AWS Systems Manager (SSM) parameters are encrypted 


ecurity Group 


ure AWS VPC subnets have automatic public IP assignment disabled 


ageMaker Notebook 


ure SageMaker Notebook is encrypted at rest using KMS CMK 


ure that direct internet access is disabled for an Amazon SageMaker 


otebook Instance 


ure all data stored in the Sagemaker Endpoint is securely encrypted at rest 


ure ECR image scanning on push is enabled 


CR Repository 


ure that ECR repositories are encrypted using KMS 
ure ECR Image Tags are immutable 


ure ECR repository policy is not set to public 


ure container insights are enabled on ECS cluster 


SK_CLUSTER 


ure MSK Cluster encryption at rest and in transit is enabled 


etwork Load Balancer 


ure to update the Security Policy of the Network Load Balance 
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CloudFront 

CID 295: Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS 

CID 314: Ensure that CloudFront Distribution has WAF enabled 

CID 327: Ensure Cloudfront distribution has Access Logging enabled 

MQ Broker 

CID 303: Ensure MQ Broker logging is enabled 

CID 315: Ensure MQ Broker is not publicly exposed 

Global Accelerator 

CID 319: Ensure Global Accelerator accelerator has flow logs enabled 

CodeBuild 

CID 321: Ensure that CodeBuild Project encryption is not disabled 

Athena Workgroup 

CID 325: Ensure Athena Workgroup should enforce configuration to prevent client 
disabling encryption 

CID 374: Ensure that Athena Workgroup is encrypted 

DMS Replication 

CID 329: Ensure that DMS replication instance is not publicly accessible 

VPC Endpoints 

CID 348: Ensure that VPC Endpoint Service is configured for Manual Acceptance 
Cloud Formation Stack 

CID 349: Ensure that CloudFormation stacks are sending event notifications to an SNS 
topic 

Secrets 

CID 366: Ensure that Secrets Manager secret is encrypted using KMS 

Auto Scaling Group 

CID 370: Ensure that Autoscaling groups supply tags to launch configurations 

CID 286: Ensure all data stored in the Launch configuration EBS is securely encrypted 
Backup Vaults 

CID 380: Ensure Backup Vault is encrypted at rest using KMS CMK 

Glacier Vault 

CID 381: Ensure Glacier Vault access policy is not public by only allowing specific services 


or principals to access it 
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CID 382: Ensure SQS queue policy is not public by only allowing specific services or 
principals to access it 


Network ACL 


T 
C 


C 
D 


C 
R 
C 
E 
C 
G 
G 
E 
C 


D 386: Ens 


D 396: Ens 


D 401: Ens 


D 328: Ens 
D 350: Ens 
D 357: Ens 


C2 
D 398: Ens 


ransfer Ser 
D 378: Ens 


C2 Instance 


ure that all NACL are attached to subnets 


ynamoDB Table 


ure that Auto Scaling is enabled on your DynamoDB tables 


oute 53 Record 


ure that Route53 A Record has Attached Resource 
ure that EC2 instance have no public IP 
ure that detai 
ure that EC2 


led monitoring is enabled for EC2 instances 


is EBS optimized 


ure that all EIP addresses allocated to a VPC are attached to EC2 instances 


ver 


ure Transfer Server is not exposed publicly 


AWS Lambda Best Practices Policy 


We support AWS Lambda Best Practices Policy specifically for Lambda resources. The pre- 
defined system policy is loaded with following system-defined controls. 


C 


Wa 


CY ta Oy Os, CE Or OY AO 


D 97: Ensu 
D 98: Ensu 


unction 


D 99: Ensu 
D 100: Ens 
D 101: Ens 
D 102: Ens 
D 103: Ens 
D 104: Ens 


D 105: Ens 


D 106: Ens 


re that Lambda function has tracing enabled 


re that Lambda Function is not using An IAM role for more than one Lambda 


re that Multiple Triggers are not configured in Lambda Function 

ure that Lambda Runtime Version is latest and not custom 

ure that Lambda function does not have Admin Privileges 

ure that Lambda function does not have Cross Account Access 

ure that Lambda Environment Variables at-rest are encrypted with CMK 


ure that Lambda Environment Variables are encrypted using AWS encryption 


elpers for encryption in transit 


ure that Lambda function is not Exposed (Ensure that Lambda function does 


ot allows anonymous invocation) 


ure that VPC access for Lambda Function is not set to default(Null) 
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CID 107: Ensure that AWS Lambda excess Permissions are removed 
Note: This control is not applicable for GovCloud region. 


CID 125: Ensure that multiple triggers are not configured for Lambda Function Aliases 
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Appendix: List of Policies and Controls 
AWS Policies 


AWS Database Service Best Practices Policy 


We have AWS Database Service Best Practices Policy. This policy covers best practices for 
PaaS database configuration exposed by AWS. 


RDS 

RedShift Clusters 
Amazon Aurora 
DocumentDB Instance 
Document DB Clusters 
Neptune DB Clusters 
DynamoDB 

QLDB Ledger 

DAX Cluster 
DynamoDB Table 

RDS Cluster 


D 51: Ensure that Public Accessibility is set to No for Database Instances 

D 52: Ensure DB snapshot is not publicly visible 

D 54: Ensure database Instance snapshot is encrypted 

D 55: Ensure auto minor version upgrade is enabled for a Database Instance 
D 56: Ensure database Instance is not listening on to a standard/default port 
D 69: Ensure automated backups are enabled for RDS database instances 

D 70: Ensure that Deletion Protection is enabled for RDS DB Cluster 

D 71: Ensure that Deletion Protection is enabled for RDS Database instances 


D 72: Ensure that IAM Database Authentication is Enabled for the DB Cluster 


€ 
C 
G 
C 
G 
C 
C 
G 
G 
CID 73: Ensure that IAM Database Authentication is Enabled for the DB Instances 
CID 74: Ensure that AWS RDS Log Exports is enabled for DB Cluster 

CID 75: Ensure that AWS RDS Log Exports is enabled for DB Instances 

CID 76: Ensure that RDS Database Master username is not set to well-known/default 
G 


D 77: Ensure VPC security group attached to RDS Database Instance does not allows 
Inbound traffic from ANY source IP 


CID 78: Ensure RDS DB instances are not present in public subnets 


CID 79: Ensure RDS DB Cluster are not present in public subnets 
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D 80: 
D 81: 
D 82: 


Ens 
Ens 
Ens 
D 83: 
D 84: 
D 85: 
D 86: 
D 87: 
D 88: 
D 89: 
D 90: 
D 91: 
D 92: 
D 93: 
D 94: 


Ens 
Ens 
Ens 
Ens 
Ens 
Ens 
Ens 
Ens 
Ens 
Ens 
Ens 
Ens 
D 95: 
D 96: 


Ens 


Ens 


AO Or On “Oy “@> =O) 18 GOs On VEY KA SO) OO, Oy GO cO> oOo (OY “Oe A 


svlog' 


DO 


0 


N(1) 


A ON 


co 


o ON(1) 


D 117: Ens 
D 257: Ens 


D 259: Ens 


D 261: Ens 


D 262: Ens 
dl' or stricter 


D 263: Ens 


D 250: Ens 
D 201: Ens 
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ure Event Subscriptions for Instance Level Events is Enabled for DB Instances 
ure RDS Microsoft SQL instance enforces encrypted connections only 

ure RDS PostgreSQL instance enforces encrypted connections only 

ure RDS PostgreSQL Cluster enforces encrypted connections only 

ure that Encryption is enabled for the RDS DB Cluster 

ure RDS DB Cluster snapshots are encrypted 

ure CMK is used to protect RDS DB Cluster encryption key 

ure CMK is used to protect RDS Db Instance encryption key 

ure DB instance replication is set to the another Zone for High Availability 
ure that DB Cluster replication is set to the another Zone for High Availability 
ure RDS database Cluster snapshots are not public 

ure that Enhance monitoring is enabled for RDS Database Instance 

ure that AWS RDS DB Cluster with copy tags to snapshots option is enabled 
ure AWS RDS instances with copy tags to snapshots option is enabled 

ure Event Subscriptions for cluster Level Events is Enabled for DB Clusters 


ure MYSQL DB Instance backup Binary logs configuration is not enabled 


ure backup configuration is enabled for MSSQL DB Instances 
ure that RDS Instances certificates are rotated 


ure status of the ‘log destination’ parameter for PostgreSQL instance is set to 


D 258: Ensure status of the ‘log rotation_age’ parameter for PostgreSQL instance is set to 
(minutes) 


ure status of the ‘log connections' parameter for PostgreSQL instance is set to 


D 260: Ensure status of the 'log_disconnections' parameter for PostgreSQL instance is set 


ure status of the ‘log hostname’ parameter for PostgreSQL instance is set to 
ure status of the ‘log statement’ parameter for PostgreSQL instance is set to 
ure the ‘pgaudit.log' parameter for PostgreSQL instance is set to appropriate 


ure RDS instances should not have be open to a large scope 


ure RDS Instance should not have an Interface open to a public scope 
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C 


D 402: Ens 
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ure that Postgres RDS has Query Logging enabled 


RedShift Clusters 


C 


aAA DS O- @ O AQA O 


C 


G 


C 


C 


cl 


G 


C 


set to 'ddl' or stricter 


set to 'csvlog 


set to ON(1) 


set to OFF(0) 


D 108: Ens 


D 109: Ens 
D 110: Ens 
D 111: Ens 


D 112: Ens 


D 113: Ens 
oubleshoot 


D 189: Ens 


D 190: Ens 
D 191: Ens 
D 192: Ens 
D 371: Ens 


mazo 


D 254: 
usters 


Ens 


D 265: Ens 


D 266: Ens 


set to 60(minutes) 


D 267: Ens 
D 268: Ens 
uster is set 


D 269: Ens 


D 270: Ens 


G 


D 271: Ens 


n/default 


ure Version Upgrade is enabled for AWS Redshift clusters to automatically 


receive upgrades 


ure that AWS Redshift database clusters are not using default endpoint port 


ure that Redshift clusters are not publicly accessible 


ure that AWS Redshift clusters master username is not set to well- 


ure that AWS Redshift clusters encryption is set for data at rest 


ure audit logging is enabled for AWS Redshift clusters for security and 
ing purposes 


ure Automated backup retention is set for Redshift Cluster 

ure Redshift Cluster is configured to require an SSL connection 
ure database audit logging is enabled for Redshift Cluster 

ure Redshift Cluster are encrypted with customer managed keys 


ure Redshift is not deployed outside of a VPC 


n Aurora 


ure that backup retention is set between 3 to 7 days for Aurora postgreSQL 


ure status of the 'log_destination' parameter for Aurora PostgreSQL cluster is 


f 


ure status of the 'log_rotation_age' parameter for Aurora PostgreSQL cluster is 


£ 


ure status of the 'log_connections’ parameter for Aurora PostgreSQL cluster is 


£ 


ure status o 
to ON(1) 


the ‘log_disconnections' parameter for Aurora PostgreSQL 


£ 


ure status of the ‘log hostname’ parameter for Aurora PostgreSQL cluster is 


£ 


ure status of the ‘log statement’ parameter for Aurora PostgreSQL cluster is 


ure the ‘pgaudit.log' parameter for Aurora PostgreSQL cluster is set to 


appropriate value 


DocumentDB Instance 


CID 118: Ensure that DocumentDB Instances certificates are rotated 
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Document DB Clusters 


G 


D 132: Ens 


ure DocumentDB database cluster master username is not set to well- 


known/default 


G 


20 


OO OG O 0 On BA aa So SA eS. a OE 


AU QA KRA QA 


D 133: Ens 


D 134: 
usters 


Ens 


D 135: Ens 


D 136: Ens 
D 206: 
D 207: 


D 330: 


Ens 
Ens 
Ens 


eptune DB 


D 137: Ens 


D 138: Ens 
D 139: 


D 140: 
uster 


D 141: 
uster 


2: 
D 143: 
D 219: 


Ens 


Ens 


Ens 


D 142: Ens 


Ens 


Ens 


D 220: Ens 


ynamoDB 
D 169: Ens 


ure backup retention is set to minimum of 7 days for DocumentDB clusters 


ure audit logs is enabled for Log export to CloudWatch for DocumentDB 


ure deletion protection is enabled for DocumentDB clusters 

ure DocumentDB Cluster is not listening on default port 

ure Document DB Cluster snapshots are encrypted 

ure Document database Cluster snapshots are not public 

ure DocDB TLS is not disabled 

Clusters 

ure multi-AZ high availability is enabled for neptune database cluster 
ure neptune database cluster is not listening on default port 

ure IAM db authentication is enabled for neptune database cluster 


ure backup retention is set to minimum of 7 days for neptune database 
ure Audit logs is enabled for log exports to cloudwatch for neptune database 


ure Auto minor version upgrade is enabled for neptune database instances 
ure deletion protection is enabled for neptune database cluster 
ure Neptune DB Cluster snapshots are encrypted 


ure Neptune database Cluster snapshots are not public 


ure DynamoDB tables are encrypted using KMS Customer managed Keys 


D 173: Ens 


D 180: Ens 


D 251: Ens 
MS key 


D 384: Ens 


LDB Ledger 


AX Cluster 


ure DynamoDB tables are not configured using DEFAULT encryption 


ure QLDB ledger has deletion protection enabled 


ure QLDB ledger has encryption enabled using accessible Customer managed 


ure QLDB ledger permissions mode is set to STANDARD 


D 302: Ens 


ure DAX is encrypted at rest (default is unencrypted) 
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DynamoDB Table 
CID 292: Ensure Dynamodb point in time recovery (backup) is enabled 


RDS Cluster 
CID 333: Ensure all data stored in Aurora is securely encrypted at rest 
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Azure Policies 


Let us view all the policies and associated controls for Azure. 


CIS Microsoft Azure Foundations Benchmark 


We support controls for following Azure resources: 


Security Centre 


Storage Accounts 
SQL Server Database 
SQL Servers 
MySQL Server 


PostgreSQL Server 


Logging and Monitoring 


Networking 


Virtual Machines 


Web App 


Key Vault 


Kubernetes 


Azure Active Directory 


Disks 


Network Security Group 


Security Centr 


G 
G 
G 
G 


D 50004: 
D 50022: 
D 50023: 
D 50078: 


selected 


G 
C 
C 
G 
C 
G 


D 50079: 
D 50080: 
D 50081: 
D 50082: 
D 50139: 
D 50140: 


Ens 
Ens 


Ens 


e 


ure that 'Send me emails about alerts' is set to 'On' 


ure that 'Send email also to subscription owners' is set to 'On' 


Azure Policies 


ure that 'Automatic provisioning of monitoring agent' is set to 'On' 


Ensure that Settings - Threat Detection for Windows Defender ATP (WDATP) is 


Ens 
Ens 
Ens 
Ens 
Ens 


Ens 


ure that Standard pricing tier is enabled for PaaS SQL servers 
ure that Standard pricing tier is enabled for App Service 


ure that Standard pricing tier is enabled for Storage Accounts 


ure that Azure Defender is set to On for Kubernetes 


ure that Azure Defender is set to On for Container Registries 


173 


ure any of the ASC Default policy setting is not set to “Disabled" 
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Azure Policies 


CID 50141: Ensure that Azure Defender is set to On for Key Vault 


Storage Accounts 


G 
G 
C 
C 
G 
G 
S 
G 
S 
G 
C 


MySQL Server 
D 50039: Ens 


C 
P 
C 


QL Ser 


D 5004 


Server" 


G 
D 
C 
D 
G 
D 
C 


D 5004 


D 5004 


D 5004 


D 50011: Ens 
D 50012: Ens 
D 50052: Ens 
D 50053: Ens 
D 50133: Ens 
D 50134: Ens 


QL Server Database 
D 50001: Ens 


vers 


D 50002: Ens 


D 50013: Ens 
and retain the activity logs 


D 50027: Ens 


D 50028: Ens 
rotection settings is configured properly for a SQL Server 


D 50035: Ens 
D 50083: Ens 


LO: Ens 


11: Ens 


atabase Server 


12: Ens 


atabase Server 


13: Ens 


atabase Server 


D 5004 


L5: Ens 


ure that Secure transfer required for a Storage Account is set to Enabled 
ure that ‘Public access level’ is set to Private for blob containers 

ure default network access rule for Storage Accounts is set to deny 

ure ‘Trusted Microsoft Services’ is enabled for Storage Account access 
ure soft delete is enabled for Azure Storage. 


ure Storage Service Encryption is enabled for Storage Accounts. 


ure that Data encryption is set to ON for a SQL database 


ure no SQL Servers allow ingress from Internet (ANY IP) 


ure that default Auditing policy for a SQL Server is configured to capture 


ure SQL servers TDE protector is encrypted with BYOK (Use your own key) 
ure that Advanced Data Security is enabled and Advanced Threat 


ure that Azure Active Directory Admin is configured for a SQL Server 


ure that ADS - Vulnerability Assessment (VA) is enabled and configured 


ure ‘Enforce SSL connection’ is set to 'ENABLED' for MySQL Database Server 


ostgreSQL Server 


ure Enforce SSL connection" is set to "ENABLED" for PostgreSQL Database 


ure server parameter log checkpoints" is set to "ON" for PostgreSQL 


" 


ure server parameter log_connections" is set to "ON" for PostgreSQL 


" 


ure server parameter log_disconnections" is set to "ON" for PostgreSQL 


" 


ure server parameter log_retention_days" is greater than 3 days for 


PostgreSQL Database Server" 
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G 
D 
G 


C 
G 
C 
G 
R 


C 
C 
G 
N 
G 
G 
G 
G 
Vv 
G 
G 
C 
G 


G 
G 


G 
C 
G 
G 
G 
C 
w 


D 50074: Ens 


D 50117: Ens 


D 50063: 
D 50064: 
D 50065: 


D 50066: 
ule 


D 50067: 
D 50068: 


Ens 
Ens 
Ens 


Ens 


Ens 
Ens 
D 50069: 
D 50070: 
D 50071: 


D 50056: 
ith BYOK 


D 50076: Ens 
D 50135: Ens 
D 50142: Ens 


Ens 
Ens 
Ens 


Ens 


etworking 


D 50055: Ens 
D 50062: Ens 
irtual Machin 
D 50032: Ens 
D 50033: Ens 
D 50034: Ens 
D 50130: Ens 


Web App 


D 5004 
D 5004 


17: Ens 
18: Ens 


atabase Server 
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ure server parameter connection_throttling" is set to "ON" for PostgreSQL 


" 


ure no PostgreSQL Server allow ingress from Internet (ANY IP) 


Logging and Monitoring 


ure Activity Log Alert exists for Create Policy Assignment 


ure Activity Log Alert exists for Create or Update Network Security Group 


ure Activity Log Alert exists for Delete Network Security Group 


ure Activity Log Alert exists for Create or Update Network Security Group 


ure Activity Log Alert exists for Delete Network Security Group Rule 


ure Activity Log Alert exists for Create or Update Security Solution 


ure Activity Log Alert exists for Delete Security Solution 


ure Activity Log Alert exists for Create or Update SQL Server Firewall Rule 


ure Activity Log Alert exists for Update Security Policy 


ure Storage account containing container with activity logs is encrypted 


ure storage container storing activity logs is not publicly accessible 


ure that Activity Log Alert exists for Delete Policy Assignment 


ure Diagnostic Setting captures appropriate categories 


D 50029: Disable RDP access on Network Security Groups from Internet (ANY IP) 
D 50031: Disable SSH access on Network Security Groups from Internet (ANY IP) 


ure Network Security Group Flow Log retention is greater than 90 days 
ure Network Watcher is Enabled for your Subscription 

es 

ure that all unattached VM disks are encrypted 

ure that all attached VM disks are encrypted 

ure disks are encrypted for Windows VMs with ADE version 1.1 


ure that the endpoint protection for all Virtual Machines is installed 


ure App Service Authentication is set on Azure App Service 


ure web app redirects all HTTP traffic to HTTPS in Azure App Service 
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ey Vault 


G 
G 
G 
G 
C 
K 
C 
C 
G 
C 
K 
G 


D 50049: 
D 50050: 
D 50051: 
D 50061: 
D 50136: 


D 50026: 
D 50030: 
D 50054: 
D 50075: 


Ens 
Ens 
Ens 
Ens 


Ens 


Ens 
Ens 
Ens 


Ens 


ubernetes 
D 50046: Enable RBAC within Azure Kubernetes Services 
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Azure Policies 


ure web app has ‘Client Certificates (Incoming client certificates)’ set to 'On' 
ure that 'Register with Azure Active Directory’ is enabled on App Service 
ure web app is using the latest version of TLS encryption version 

ure that 'HTTP Version’ is latest, if used to run the web app 

ure FTP deployments are disabled for web apps. 


ure keyvault is recoverable 
ure that the expiry date is set on all Secrets 


ure that logging for Azure KeyVault is ‘Enabled’ 


ure that diagnostic settings for Azure KeyVault is set to ON 


Note: This control is not applicable for GovCloud 


Azure Active Directory 


C 
N 
G 
Disks 
G 
N 
C 


D 50072: 


D 50137: 


Ens 


Ens 


Ens 


Ens 


ure that there are no guest users 


ote: This control is not applicable for GovCloud 


D 50073: 


ure no custom subscription owner roles are created 


ure that 'OS and Data’ disks are encrypted with CMK 


etwork Security Group 
D 50138: 


ure that UDP services are restricted from the Internet 
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Azure Best Practices Policy 
We support Azure Best Practices Policy to evaluate the following controls. 
Web App 

Redis Cache 

Key Vault 

Disk 

Disk Access 

Event Hub/Namespace/Grid Topic 
Service Bus Namespace 
Virtual Machines/Scale Set 
Container Group 

Cosmos DB 

Storage Account 

Storage Sync Service 
Snapshot 

PostgreSQL Servers 

SQL Servers 

Kubernetes 

Kubernetes Cluster 
Application Gateway 
Container Registries 

Monitor 

Virtual Network Subnet 
Resource Group 

Security Centre/Policy/Policy 
Logging and Monitoring 

API App 

API Management Service 
Cognitive Search/Service 
Data Lake Analytics/Storage 
Synapse Workspace 
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Network Interface 
Integration Service Environment 
Front Door 

Logic App 

VPC 

Data Factory 

Data Explorer 

Batch Account 

IOT Hub 

Service Fabric 

Automation Account 
Device Provisioning Service 
Integration Runtime 

Batch Pool 

Event Grid Domain 
Activity Log 


Web App 


jia 


s enabled in Web apps 


edis Cache 


rotocol 


CID 50236: Ensure that Web Apps use Azure Files 
R 


D 50154: Ensure that Redis Cache uses private link 
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D 50144: Ensure that CORS does not allow every resource to access the Web apps 
ID 50145: Ensure that Diagnostic logs is enabled in Web apps 


C 

C 

CID 50148: Ensure that Managed identity is used in Web apps 

CID 50150: Ensure that Remote debugging is turned off for Web apps 
G 


D 50152: Ensure that routing of outbound non-RFC 1918 traffic to Azure Virtual Network 


D 50153: Ensure that public network access is disabled in Redis Cache 


C 

C 

CID 50155: Ensure that only secure connections to Redis Cache is enabled 

CID 50171: Ensure that Azure Redis Cache servers are using the latest version of the TLS 
P 
C 


ID 50195: Ensure that Azure Cache for Redis resides within virtual network 


Key Vault 


C 
E 
C 


C 
C 
G 
C 
C 
G 
S 
G 


G 
€ 
S 
G 


€ 
G 


C 
C 
E 
C 
G 
C 
D 
G 
D 


G 
C 
V 


D 50172: 
D 50176: 
D 50250: 
D 50251: 
D 50253: 


Ens 
Ens 
Ens 
Ens 
Ens 


D 50218: Ens 


sk 
D 50156: 


Ens 


isk Access 
D 50157: Ens 


vent Hub/Na 
D 50158: Ens 


D 50159: Ens 
D 50160: Ens 
D 50161: Ens 
D 50162: Ens 
D 50194: Ens 


D 50301: Ens 


D 50163: Ens 


D 50164: Ens 
D 50165: Ens 
irtual Machin 
D 50034: Ens 


D 50166: Ens 
SH keys 


D 50037: Ens 


D 50241: Ens 
D 50196: Ens 


ervice Bus Namespace 
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ure that public network access is disabled for Azure Key Vaults 
ure that Azure Key Vaults use Private Links 

ure that Firewall is enabled on Key Vaults 

ure that Key Vault keys are backed by HSM 

ure that Key Vault Secrets have ‘Content-Type’ set 

ure that the expiry date is set on all keys 


ure that public network access is disabled in Managed Disks 


ure that Disk Access resources are configured with private endpoints 


mespace/Grid Topic 
ure that all Authorization Rules except RootManageSharedAccessKey are 


removed from Event Hub Namespaces 


ure that Authorization rules are defined in Event Hub instances 
ure that Event Hub Namespaces use Customer-Managed Key for encryption 
ure that Event Hub Namespaces use private links 
ure that Resource Logs are enabled in Event Hub Namespaces 
ure that Azure Event Grid topics use private links 


ure that public network access is disabled in Azure Event Grid topics 


ure that all Authorization Rules except RootManageSharedAccessKey are 


removed from Service Bus Namespaces 


ure that Service Bus Namespaces use private links 


ure that Resource Logs are enabled in Service Bus Namespaces 


es/Scale Set 
ure disks are encrypted for Windows VMs with ADE version 1.1 


ure that Azure Linux-based virtual machines (VMs) are configured to use 


ure to enable virtual machines with end-to-end encryption using 


encryption at host 


ure that Virtual Machine Scale Sets have encryption at host enabled 


ure that Diagnostic logs are enabled in Virtual Machine Scale Sets 
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C 


D 50239: Ens 


Sets 


G 


C 


G 


D 50223: Ens 


D 50167: Ens 
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ure that automatic OS image patching is enabled for Virtual Machine Scale 


ure that Virtual Machine disallows Extensions 


Container Group 


ure that Azure Container Instance container groups use customer- 


managed key for encryption 


D 50242Container InstancesContainer GroupEnsure that Azure Container Instance 


container groups are deployed in a virtual network 


Cosmos DB 


CID 50168: Ensure that Advanced Threat Protection is enabled for all Microsoft Azure 
Cosmos DB accounts 


Storage Account 


9A AA A 0 


G 


C 
S 
C 


Qa FAO FAQ FA PA PA 


D 50169: Ens 
D 50173: Ens 
D 50175: Ens 
D 50181: Ens 
D 50186: Ens 


D 50187: Ens 
nalytics wor 


D 50188: Ens 
nalytics wor 


D 50189: Ens 
nalytics wor 


D 50190: Ens 
nalytics wor 


D 50191: Ens 
nalytics wor 


D 50198: Ens 
D 50225: Ens 


D 50170: Ens 
D 50174: Ens 


napshot 
D 50038: Ens 


KSpace 


KSpace 


KSpace 


KSpace 


KSpace 


ure that Advanced Threat Protection is enabled on Storage Accounts 
ure that Geo-redundant storage is enabled for Storage Accounts 

ure that Storage Accounts have infrastructure encryption enabled 
ure Storage Accounts are using the latest version of TLS encryption 


ure that critical Azure Blob Storage data is protected from accidental 


eletion or modification 


ure that Diagnostic Settings for Storage Accounts are configured with Log 


ure that Diagnostic Settings for Storage Blobs are configured with Log 


ure that Diagnostic Settings for Storage Files are configured with Log 


ure that Diagnostic Settings for Storage Queues are configured with Log 


ure that Diagnostic Settings for Storage Tables are configured with Log 


ure that Storage Accounts use private link connections 


ure that Storage accounts disallow Blob public access 


Storage Sync Service 


ure that Azure File Sync uses private link 


ure that Public network access is disabled for Azure File Sync 


ure disk snapshots are encrypted. 
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PostgreSQL Servers 
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CID 50044: Ensure server parameter log duration" is set to "ON" for PostgreSQL Database 


Server" 


SQL Servers 


CID 50083: Ensure that ADS - Vulnerability Assessment (VA) is enabled and configured 


properly 
Kubernetes 

D 50090: Ens 
D 50091: Ens 
D 50092: Ens 


C 
C 
C 
K 
CID 50192: Ens 
CID 50193: Ens 


CID 50208: Ens 


CID 50254: Ens 
CID 50210: Ens 


CID 50279: Ens 
configured 


ubernetes Cluster 


ure that Az 
ure that Az 
ure that Az 


ure that Az 


ure that Az 


enabled on your clusters 


Application Gateway 


CID 50093: Ens 
enabled 


CID 50094: Ens 


Container Reg 
D 50057: Ens 
D 50199: Ens 


D 50200: Ens 
D 50201: Ens 
D 50278: Ens 
onitor 

D 50059: Ens 
D 50125: Ens 


ure that Az 


ure that Az 


istries 
ure that Az 


ure that Contal 


ure that Contal 


ure that Contal 


ure that Contal 


ner Regi 


ner Regi 
ner Regi 


ner Regi 


stries are confi 


stries are confi 


ure AKS cluster monitoring is enabled 
ure AKS cluster HTTP application routing is disabled 


ure AKS cluster Azure CNI networking is enabled 


ure Kubernetes Service Private Clusters is enabled 

ure Policy Add-on for Kubernetes service (AKS) is installed and 
ure that Kubernetes Services Management API server is configured with 
restricted access 
ure that Azure Kubernetes Service uses disk encryption set 
ure that Kube Dashboard is disabled 


ure that Azure Kubernetes Service (AKS) cluster has Network Policy 


ure Application Gateway have Web application firewall (WAF) 


ure Application Gateway allows TLSv1.2 or above 


ure Container Registry using the deprecated classic registry 


sured to disable public network 


gured with private endpoints 


stries are encrypted with a customer-managed key 


stry disallows 
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unrestricted network access 


ure Activity Log Alert for Delete SQL server firewall rule 


ure Activity Log Alert exists for Create/Update Storage Account 


D 50126: Ens 
D 50127: Ens 
D 50128: Ens 
D 50129: Ens 


G 
G 
G 
G 
Vv 
G 


D 50060: Ens 
Security Group 


irtual Network Subnet 


Resource Group 


CID 50036: Ens 


C 
Di 


D 50003: Ens 
sabled 


D 50005: Ens 


D 50006: Ens 
e remediated 


D 50007: Ens 
D 50008: Ens 


D 50009: Ens 
sabled 


D 50010: Ens 
sabled 


D 50014: Ens 
D 50015: Ens 
D 50016: Ens 


CID 50017: Ens 


Security Centre/Policy 
ure ASC Default poli 


ure that AZ 


is set to On 
ure ASC Defa 
ure ASC Defa 
ure ASC Defa 


ure ASC Defa 


ure ASC Defa 


ure ASC Defa 


Monitoring is not Disabled 


Assessment solution 


D 50018: Ens 
sabled 


D 50019: Ens 
D 50021: Ens 
D 50025: Ens 
CID 50071: Ens 


CID 50077: Ens 
(MCAS) is selec 


ure ASC Defa 


ure ASC Defa 
ure that security 


ure ASC Defa 


ted 


ure Reso 


ure ASC Default poli 


ult poli 
ult poli 


ult poli 


ult poli 


ult poli 


ure that standard pricing ti 


ult poli 


ult poli 


ult poli 


ult poli 


ure Activity Log Alert exists for Delete Storage Acco 


ure Activity Log Alert exists for Delete Virtual Machi 


cy setti 
cy setti 
cy setti 


cy setti 


cy setti 


cy sett 


cy setti 


cy setti 


contact 'Phone 


cy sett 


ure that Settings - Threat Detection 
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ng Moni 
ng Moni 
ng Moni 


ng Moni 


ng Mon 


ng Mon 


ing Mon 
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unt 


ure Activity Log Alert exists for Create or Update Virtual Machine 


ure Activity Log Alert exists for Deallocate Virtual Machine 


ne 


ure that Azure Virtual Network subnet is configured with a Network 


urce Group have a resource lock 


cy setting Monitor Application Whitelisting is not 


cy setting Monitor System Updates is not Disabled 


ure that Vulnerabilities in security configuration on your machines should 


tor Endpoint Protection is not Disabled 
tor Disk Encryption is not Disabled 


tor Network Security Groups is not 


tor Web Application Firewall is not 


itor SQL Auditing is not Disabled 


er is selected 


ing Enable Next Generation Firewall(NGFW) 
ure that Vulnerabilities should be remediated by a Vulnerability 


ng Monitor Storage Blob Encryption is not 


itor JIT Network Access is not Disabled 
number' is set 


itor SQL Encryption is not Disabled 


ure that Activity Log Alert exists for Update Security Policy 


for Microsoft Cloud App Security 


CID 50078: Ens 
selected 


CID 50082: Ens 


CID 50182: Ens 
enabled 


CID 50183: Ens 
subscription(s) 


CID 50184: Ens 
b 


D 50185: Ens 
zure Security 


D 50197: Ens 
D 50226: Ens 
D 50231: Ens 


G 
A 
€ 
G 
G 


D 50024: Ens 
PI App 

D 50202: Ens 
D 50203: Ens 
D 50204: Ens 
D 50205: Ens 
D 50206: Ens 
D 50058: Ens 


D 50248: Ens 


D 50304: Ens 
Transport Secu 


CID 50305: Ens 
networks 


CID 50306: Ens 


CID 50307: Ens 
resource 


eing monitored 
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ure that Settings - Threat Detection for Windows Defender ATP (WDATP) is 


ure any of the ASC Default policy setting is not set to 'Disabled' 


ure that monitoring of DDoS protection at the Azure virtual network level is 


ure that monitoring of deprecated accounts within your Azure 
is enabled 


ure that IP forwarding enablement on your Azure virtual machines (VMs) is 


ure that the external accounts with write permissions are monitored using 
Center 


ure that Azure Defender for DNS is enabled 
ure that Azure Defender for Resource Manager is enabled 


ure that Azure Defender is set to On for SQL servers on machines 


Logging and Monitoring 


ure that LogProfile for a subscription is configured properly 


ure that FTPS is enforced in API Apps 

ure that Managed Identity is used in API Apps 

ure that API Apps are only accessible over HTTPS 

ure that API Apps have Incoming Client Certificates is set to On 
ure that HTTP Logging is enabled in API Apps 

ure that Detailed Error Logging is enabled in API Apps 


PI Management Service 


ure that API Management services use virtual networks 


ure that API Management Services use latest protocol for Client Side 


ure that AP 
rity 


Management Services use latest protocol for Backend Side 


ure that API Management services use a SKU that supports virtual 


ure that Cipher Triple DES (3DES) is enabled for API Management resource 


ure that HTTP/2 client side protocol is enabled for API Management 
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CID 50308: Ensure that System assigned Managed Identity is enabled for API Management 


Service 


Cognitive Search/Service 


C 
G 


D 50276: Ens 
D 50260: Ens 
CID 50114: Ens 


CID 50296: Ens 
keys 


CID 50297: Ens 
D 50298: Ens 
D 50299: Ens 


C 
C 
CID 50274: Ens 
CID 50275: Ens 
CID 50246: Ens 
S 


D 50224: Ens 


D 50255: Ens 


C 
N 
C 
CID 50256: Ens 


CID 50101: Ens 


ure that Diagnostic logs are enabled in Search Services 
ure that public network access is disabled for Cognitive Services accounts 
ure that network access is restricted in Cognitive Services accounts 


ure that Cognitive Services enable data encryption with customer-managed 


ure that Cognitive Services have local authentication methods disabled 
ure that Managed identity is used in Cognitive Services 


ure that Cognitive Services use private links 


Data Lake Analytics/Storage 


ure that Diagnostic logs are enabled in Data Lake Analytics accounts 
ure that Diagnostic logs are enabled in Azure Data Lake Storage accounts 


ure that encryption is enabled for Data Lake Store accounts 


ynapse Workspace 


ure that managed virtual network is enabled in Azure Synapse workspace 


etwork Interface 


ure that IP forwarding is disabled for Network Interfaces 


ure that Network Interfaces don't use public IPs 


Integration Service Environment 


ure that Logic Apps Integration Service Environments are encrypted with 


customer-managed keys 


Front Door 


CID 50257: Ensure that Web Application Firewall (WAF) is enabled in Azure Front Door 


Services 


Logic App 


CID 50277: Ensure that Diagnostic logs are enabled in Logic Apps 


CID 50309: Ensure that Logic Apps are deployed into Integration Service Environment 


VPC 


CID 198: Ensure workspace directory must have a vpc endpoint so that the API traffic 
associated with the management of workspaces stays within the vpc 
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Data Factory 
D 50267: Ens 


D 50245: Ens 
D 50244: Ens 
D 50284: 


Ens 


ata Explorer 
D 50265: Ens 


D 50229: Ens 
D 50228: Ens 
D 50286: Ens 
D 50230: Ens 
D 50291: 
D 50292: 
D 50293: 
D 50294: 
D 50295: 


Ens 
Ens 
Ens 
Ens 
Ens 
IOT Hub 

CID 50249: 
CID 50282: 


Ens 


Ens 


Service Fabric 
CID 50261: Ens 


CID 50262: Ens 
authentication 


atch Account 
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ure that Azure Data Factory is encrypted with a customer-managed key 
ure that public network access is disabled in Azure Data Factory 
ure that Azure Data Factory uses Git repository for source control 


ure that Azure Data Factory uses private link 


ure that encryption at rest uses customer-managed key in Azure Data 


ure that Azure Data Explorer uses double encryption 
ure that Azure Data Explorer uses disk encryption 


ure that Virtual network injection is enabled for Azure Data Explorer 


ure that Azure Batch account uses key vault to encrypt data 

ure that Azure Batch accounts have local authentication methods disabled 
ure that Metric alert rules are configured on Batch accounts 

ure that Batch accounts have private endpoint connections enabled 

ure that public network access is disabled for Batch accounts 


ure that Resource logs are enabled in Batch accounts 


ure that public network access is disabled for Azure IoT Hub 


ure that Resource logs are enabled in IoT Hub 


ure that Service Fabric cluster has the ClusterProtectionLevel property set 


to EncryptAndSign 


ure that Service Fabric cluster uses Azure Active Directory for 


Automation Account 


CID 50227: Ens 
CID 50287: Ens 


CID 50288: Ens 
at rest 


CID 50289: Ens 


ure that Automation account variables are encrypted 


ure that public network access is disabled for Automation accounts 


ure that Automation account uses customer-managed keys to encrypt data 


ure that Automation account has private endpoint connections enabled 
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Device Provisioning Service 
CID 50280: Ensure that public network access is disabled for loT Hub Device Provisioning 
Service instances 


CID 50281: Ensure that IoT Hub Device Provisioning Service instances use private links 


Integration Runtime 


CID 50283: Ensure that Azure Data Factory Integration Runtimes have a limit for the 
number of cores 


CID 50285: Ensure that SQL Server Integration Services Integration Runtimes on Azure 
Data Factory are joined to a virtual network 


Batch Pool 
CID 50290: Ensure that Azure Batch pools have disk encryption enabled 


Event Grid Domain 


CID 50300: Ensure that Azure Event Grid domains are configured to disable public network 
access 


CID 50302: Ensure that Azure Event Grid domains use private links 


Activity Log 


CID 50217: Ensure that audit profile captures all the activities 


Azure Function App Best Practices Policy 


We support Azure Function App Best Practices Policy to help you in automated auditing 
and reporting on the Azure Function app misconfigurations, unwarranted access, and 
non-standard deployments, and provide remediation steps to manage risks. 


Function App 
CID 50084: Ensure App Service Authentication is set on Function Apps 
CID 50085: Ensure Function app redirects all HTTP traffic to HTTPS 


CID 50086: Ensure function app has ‘Client Certificates (Incoming client certificates)’ set to 


D 50087: Ensure that 'Register with Azure Active Directory’ is enabled on Function app 
D 50088: Ensure function app is using the latest version of TLS encryption version 
D 50089: Ensure that 'HTTP Version’ is latest, if used to run the function app 


D 50146: Ensure that Function apps enforce FTPS-only access to FTP traffic 


C 
C 
€ 
CID 50143: Ensure that CORS does not allow every resource to access the Function Apps 
G 
C 
C 


6 
D 50147: Ensure that Managed identity is used in Function apps 
9 


D 50149: Ensure that Remote debugging is turned off for Function apps 
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CID 50151: Ensure that routing of outbound non-RFC 1918 traffic to Azure Virtual Network 
is enabled in Function apps 
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Azure Database Service Best Practices Policy 


We have a policy that helps in automated auditing and reporting on the Azure Database 
service resources misconfigurations, unwarranted access and non-standard deployments, 
and provides remediation steps to manage risks. To help secure your Azure resources, 
follow the recommendations for the Database services of Azure. 


SQL Server Database 
SQL Servers 
MySQL Server 
MaridDB Server 


PostgreSQL Server 


€ 


osmosDB 


SQL Server Database 


CID 50095: Ensure that default Auditing policy for a SQL Database is configured to capture 
and retain the activity logs 


CID 50096: Ensure that Advanced Data Security is enabled and Advanced Threat 
Protection settings is configured properly for a SQL Database 


SQL Servers 


G 
A 
G 
D 
C 
C 
D 
C 


server 


G 


C 


C 
G 
C 
C 
M 


properl 


D 50098: Ens 
D 50178: Ens 
D 50180: Ens 
D 50100: Ens 


ySQL Server 
D 50102: Ens 


D 50103: Ens 
ataba 


D 50104: Ens 


D 50105: Ens 
ataba 


D 50106: Ens 


D 50107: Ens 
y 


D 50131: Ens 


server 


ure that 'ssl_minimal_tls_version_enforced' is set to '1.2' for SQL server 
ure that public network access is disabled on Azure SQL databases 
ure that public network access is disabled for PostgreSQL flexible servers 


ure that Azure SQL Database have private endpoint connections enabled 


ure that Advanced Threat Protection settings is configured properly for 


zure Database for MySQL Server 


ure that TLS is enforced and the minimum version be set to 1.2 for Azure 


se for MYSQL server 


ure no MySQL Server allow ingress from Intemet (ANY IP) 


ure that 'geo_redundant_backup_enabled' is set to Enabled for Azure 


se for MySQL server 


ure that Public Network Access is Disabled for Azure Database for MySQL 


ure that Azure Database for MySQL server diagnostic setting is configured 


ure that Azure Active Directory authentication is configured for MySql 
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D 50179: Ens 
D 50268: Ens 


D 50263: Ens 


C 
M 
CID 50108: Ens 
A 


CID 50109: Ens 
M 

D 50110: Ens 
ataba 
D 50111: Ens 


D 50112: Ens 
ataba 


113: Ens 


aridDB Serve 


ariaDB server 
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ure that public network access is disabled for MySQL flexible servers 


ure that encryption with customer-managed key is enabled in MySQL 


ure that MySQL server has infrastructure encryption enabled 


r 
ure that Advanced Threat Protection settings is configured properly for 


zure Database for MariaDB Server 


ure 'Enforce SSL connection' is set to 'ENABLED' for Azure Database for 


ure that TLS is enforced and the minimum version be set to 1.2 for Azure 


se for MariaDB server 


ure no MariaDB Server allow ingress from Internet (ANY IP) 


ure that 'geo_redundant_backup_enabled' is set to Enabled for Azure 


se for MariaDB server 


ure that Public Network Access is Disabled for Azure Database for MariaDB 


PostgreSQL Server 


D 50115: Ens 


D 50116: Ens 
ataba 


D 50118: Ens 
ataba 


D 50119: Ens 
stgre 


D 50120: Ens 
figured 


CID 50132: Ens 
server 


CID 50177: Ens 
servers 


CID 50240: Ens 


GVO ON UA Fa 


Q g 


osmosDB 
D 50121: Ens 


D 50122: Ens 
D 50123: Ens 


Cc 
C 
G 
C 


properly 


ure that Advanced Threat Protection settings is configured properly for 


zure Database for PostgreSQL Server 


ure that TLS is enforced and the minimum version be set to 1.2 for Azure 


se for PostgreSQL server 


ure that 'geo_redundant_backup_enabled' is set to Enabled for Azure 


se for PostgreSQL server 


ure that Public Network Access is Disabled for Azure Database for 


SQL server 


ure that Azure Database for PostgreSQL server diagnostic setting is con- 
ure that Azure Active Directory authentication is configured for PostgreSql 
ure that encryption with customer-managed key is enabled in PostgreSQL 


ure that PostgreSQL server has infrastructure encryption enabled 


ure that automatic-failover is set for Azure CosmosDB 


ure that Diagnostic settings are set for CosmosDB 


ure that lock is set on Azure CosmosDB 


189 


Appendix: List of Policies and Controls 
Azure Policies 


CID 50124: Ensure that CosmosDB does not allow access from all networks 
CID 50099: Ensure that Azure Cosmos DB accounts have firewall rules 


CID 50243: Ensure that Cosmos DB accounts have customer-managed keys to encrypt data 
at rest 
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GCP Policies 


Let us view all the policies and associated controls for GCP. 


CIS Google Cloud Platform Foundation Benchmark 


We support controls for following Google Cloud Platform (GCP) resources: 


IAM & Admin 


Logs Router 


Logs-based metrics 


Storage 
Network 
Firewall rules 


Subnetwork 


Cloud SQL- Mysql 
Cloud SQL- SQL Server 
Cloud SQL- PostgreSQL 


VM Instances 
Dataset 

Table 

Cloud DNS 
IAM & Admin 
CID 52000: Ens 


CID 52001: Ens 
account 


CID 52002: Ens 


CID 52003: Ens 
level 


D 52004: Ens 
ays or less 


C 

d 

CID 52005: Ens 
CID 52006: Ens 
G 


CID 52008: Ens 


ure that corporate login credentials are used instead of Gmail accounts 


ure that there are only GCP-managed service account keys for each service 


ure that ServiceAccount has no Admin privileges 


ure that IAM users are not assigned Service Account User role at project 
ure user-managed/external keys for service accounts are rotated every 90 


ure Encryption keys are rotated within a period of 365 days 
ure that Separation of duties is enforced while assigning KMS related roles 


ure that IAM users are not assigned Service Account Token Creator role at 


ure that Cloud Audit Logging is configured properly across all services and 


all users from a project 


G 


L 


G 


C 
a 


F 
G 


C 
S 
€ 


D 52090: Ens 


ogs Router 
D 52009: Ens 


D 52011: Ens 
ssignm 


Ens 
Ens 
Ens 
Ens 
Ens 


: Ens 


D 52018: Ens 


D 52030: 
D 52036: 


Ens 
Ens 


D 52057: 
uckets 


D 52058: 
D 52099: 


Ens 


Ens 
Ens 
etwork 

D 52019: 
D 52034: 
D 52116: 


Ens 
Ens 
Ens 
irewall rules 
D 52021: Ens 
D 52022: Ens 


ubnetwork 
D 52024: Ens 


ents/changes 
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ure that Cloud KMS cryptokeys are not anonymously or publicly accessible 


ure that sinks are configured for all Log entries 


Logs-based metrics 


ure log metric filter and alerts exists for Project Ownership 


ure log metric filter and alerts exists for Audit Configuration Changes 


ure log metric filter and alerts exists for Custom Role changes 


ure log metric filter and alerts exists for VPC Network Firewall rule changes 


ure log metric filter and alerts exists for VPC network route changes 


ure log metric filter and alerts exists for VPC network changes 


ure log metric filter and alerts exists for Cloud Storage IAM permission 


ure log metric filter and alerts exists for SQL instance configuration 


ure that Cloud Storage bucket is not anonymously or publicly accessible 
ure that Cloud Storage buckets have uniform bucket-level access enabled 


ure that there are no harmful object life cycle rules are created on Storage 


ure that object retention policy is set on storage buckets 


ure that retention policies on log buckets are configured using Bucket Lock 


ure the default network does not exist in a project 
ure legacy networks do not exist for a project 


ure that Cloud DNS logging is enabled for all VPC networks 


ure that SSH access is restricted from the internet 


ure that RDP access is restricted from the internet 


ure VPC Flow logs is enabled for every subnet in VPC Network 
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Cloud SQL- Mysql 


CID 52032: Ens 
connections to 


CID 52033: Ens 


CID 52075: Ens 
set to 'on' 


D 52076: Ens 
D 52084: Ens 
D 52087: Ens 


D 52035: Ens 


D 52067: Ens 
connections to 


CID 52068: Ens 
world 


CID 52077: Ens 


G 
C 
C 
Cc 
E 
C 


ure that Cloud SQL - Mysql database Instance requires all incoming 
use SSL 


ure that Cloud SQL - Mysql database Instances are not open to the world 
ure 'skip_show_database' database flag for Cloud SQL - Mysql instance is 


ure 'local_infile' database flag for Cloud SQL - Mysql instance is set to 'off' 
ure Cloud SQL - MySql Instance do not have public IP addresses 
ure Cloud SQL- MySql instance is configured with automated backups 


loud SQL- SQL Server 


ure that MySQL Database Instance does not allows root login from any Host 


ure that Cloud SQL - SQL Server database instance requires all incoming 
use SSL 


ure that Cloud SQL - SQL Server database Instances are not open to the 


ure ‘external scripts enabled' database flag for Cloud SQL - SQL Server 


instance is set to 'off' 


CID 52078: Ens 


ure ‘cross db ownership chaining’ database flag for Cloud SQL - SQL Server 


instance is set to 'off' 


CID 52081: Ens 
to ‘off 


CID 52082: Ens 
set to ‘off 


CID 52083: Ens 


ure ‘remote access’ database flag for Cloud SQL - SQL Server instance is set 
ure '3625 (trace flag)’ database flag for Cloud SQL - SQL Server instance is 


ure ‘contained database authentication’ database flag for Cloud SQL SQL 


Server instance is set to ‘off’ 


D 52085: Ens 
D 52088: Ens 


D 52080: Ens 
configured 


CID 52148: Ens 


ure Cloud SQL - SQL server Instance do not have public IP addresses 
ure Cloud SQL- SQL server is configured with automated backups 


ure ‘user options’ database flag for Cloud SQL - SQL Server instance is not 


ure ‘user connections’ database flag for Cloud SQL SQL Server instance is 


set as appropriate 


Cloud SQL- PostgreSQL 
CID 52059: Ensure ‘log connections’ database flag for Cloud SQL - PostgreSQL instance is 


set to 'on' 


CID 52060: Ensure ‘log _disconnections' database flag for Cloud SQL - PostgreSQL instance 


is set to 'on' 
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D 52061: Ens 
on' 


CID 52062: Ens 
S 


CID 52063: Ens 


to "ddl" or stricter" 


CID 52064: Ens 
to 'off' 


CID 52065: Ens 
connections to 


CID 52066: Ens 
world 


CID 52069: Ens 


to on 
CID 52070: Ens 
to 'O' (on) 


CID 52071: Ens 
instance is set 


CID 52072: Ens 
is set to ‘Error’ 


CID 52073: Ens 
instance is set 


disabled) 


CID 52074: Ens 
set to 'on' 


CID 52086: Ens 
CID 52089: Ens 


CID 52112: Ens 
to off 


CID 52113: Ens 
set to off 


CID 52114: Ens 
set to off 


CID 52115: Ens 
is set to off 


VM Instances 
CID 52020: Ens 
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ure ‘log duration’ database flag for Cloud SQL PostgreSQL instance is set to 


ure ‘log_error_verbosity' database flag for Cloud SQL - PostgreSQL instance 


set to 'DEFAULT' or stricter 


ure log statement" database flag for Cloud SQL - PostgreSQL instance is set 
ure ‘log hostname’ database flag for Cloud SQL - PostgreSQL instance is set 
ure that Cloud SQL - PostgreSQL database instance requires all incoming 

use SSL 


ure that Cloud SQL - PostgreSQL database Instances are not open to the 


ure ‘log lock_waits' database flag for Cloud SQL - PostgreSQL instance is set 


ure ‘log temp_files' database flag for Cloud SQL - PostgreSQL instance is set 


ure ‘log _min_error_statement' database flag for Cloud SQL - PostgreSQL 
to ‘Error’ or stricter 


ure ‘log min_messages' database flag for Cloud SQL - PostgreSQL instance 
or stricter 


ure ‘log _min_duration_statement' database flag for Cloud SQL - PostgreSQL 
to '-1' 


ure ‘log checkpoints’ database flag for Cloud SQL - PostgreSQL instance is 


ure Cloud SQL - PostgreSQL Instance do not have public IP addresses 
ure Cloud SQL - PostgreSQL instance is configured with automated backups 


ure log_parser_stats database flag for Cloud SQL PostgreSQL instance is set 
ure log planner_stats database flag for Cloud SQL PostgreSQL instance is 


ure log executor_stats database flag for Cloud SQL PostgreSQL instance is 


ure ‘log statement_stats' database flag for Cloud SQL PostgreSQL instance 


ure that IP forwarding is not enabled on Instances 
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D 52025: Ensure that instances are not configured to use the default service account 
ith full access to all Cloud APIs 


D 52026: Ensure Block Project-wide SSH keys "enabled for VM instances" 


C 

W. 

G 

CID 52027: Ensure oslogin is enabled for a Project 

CID 52028: Ensure Enable connecting to serial ports "is not enabled for VM Instance" 
C 


D 52029: Ensure VM disks for critical VMs are encrypted with Customer-Supplied 
Encryption Keys (CSEK) 


D 52091: Ensure Compute instances are launched with Shielded VM enabled 
D 52093: Ensure that instances are not configured to use default service account 


G 

C 

CID 52094: Ensure that Compute instances do not have public IP addresses 

CID 52111: Ensure that Compute instances have Confidential Computing enabled 
D 


ataset 
D 52095: Ensure that BigQuery dataset is encrypted with Customer-managed key 


€ 
CID 52098: Ensure that BigQuery datasets are not anonymously or publicly accessible 
T 


able 


D 52096: Ensure that BigQuery Table is encrypted with Customer-managed key 


C 

Cloud DNS 
CID 52100: Ensure that DNSSEC is enabled for Cloud DNS 
a 


D 52109: Ensure that GCP Cloud DNS zones is using RSASHA1 algorithm for DNSSEC 
key-signing 


CID 52110” Ensure that GCP Cloud DNS zones is using RSASHA1 algorithm for DNSSEC 
zone-signing 
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GCP Best Practices Policy 


We support GG 
Storage 

VM Instance 
Subnetwork 
Pub/Sub 
Compute 
Project IAM 
Cloud Storage 
VM Disk 


P Best Practices Policy to evaluate the following controls. 


Dataproc Cluster 


Storage 
D 52010: 


D 52031: 


Ens 
Ens 


D 52057: 
uckets 


D 52058: 
D 52108: 
D 52140: 


C 
C 
GC Ens 
B 

Ens 
Ens 
Ens 
M Instance 
D 52092: Ens 


D 52157: Ens 
M instances 


D 52158: Ens 
preemptible 


CID 52159: Ens 


C 
G 
G 
Vv 
C 
G 
V 
C 


CID 52162: Ens 
Subnetwork 
D 52023: Ens 


D 52118: Ens 
(CMKs). 


machine (VM) i 


ure that object versioning is enabled on buckets 
ure that logging is enabled for Cloud storage buckets 


ure that there are no harmful object life cycle rules are created on Storage 


ure that object retention policy is set on buckets 
ure that GCP Storage bucket is encrypted using customer-managed key 


ure that Bucket should not log to itself 


ure oslogin is enabled for VM instance 


ure that the Auto-Delete feature is disabled for the disks attached to your 
ure that your production Google Cloud virtual machine instances are not 
ure that deletion protection is enabled for your Google Cloud virtual 


nstances 


ure that automatic restart is enabled for VM instances 


ure Private Google Access is enabled for all subnetwork in VPC Network 


ure that Pub/Sub topics are encrypted using Customer-Managed Keys 
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Compute 

CID 52120: Ensure that "On Host Maintenance" configuration setting is set to "Migrate" for 
all VM instances. 

Project IAM 

CID 52135: Ensure Default Service account is not used at a project level 


CID 52138: Ensure no roles that enable to impersonate and manage all service accounts 
are used at a project level 

Cloud Storage 

CID 52156: Ensure that Google Cloud Storage objects are using a lifecycle configuration for 
cost management 

VM Disk 

CID 52160: Ensure that your virtual machine (VM) instance disks are encrypted using 
Customer-Managed Keys (CMKs) 

Dataproc Cluster 


CID 52161: Ensure that your Dataproc clusters are encrypted using Customer-Managed 
Keys (CMKs) 


197 


Appendix: List of Policies and Controls 
GCP Policies 


GCP Cloud Functions Best Practices Policy 


We have GCP Cloud Functions Best Practices Policy that covers Cloud Functions Services of 
Google Cloud Platform. The controls in this policy are targeted only for Cloud Functions 
service. 


Function App 
CID 52054: Ensure that Default service account is not used for the Cloud Function 
CID 52055: Ensure that Runtime used in Cloud Function is not deprecated 


CID 52056: Ensure that Cloud Function is not anonymously or publicly accessible 


GCP Kubernetes Engine Best Practices Policy 


We have GCP Kubernetes Engine Best Practices Policy. It covers Google Kubernetes Engine 
Service of Google Cloud Platform. The controls in this policy are targeted only towards 
Google Kubernetes Engine service. The pre-defined GCP Kubernetes Engine Best Practices 
is loaded with the 22 system-defined controls. 


CID 52037: Ensure that GCP Kubernetes cluster intra-node visibility is enabled 
D 52038: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters 
D 52039: Ensure Kubernetes web UI / Dashboard is disabled 


€ 

G 

CID 52040: Ensure Automatic node repair is enabled for Kubernetes Clusters 

CID 52041: Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters 
n 
C 


D 52042: Ensure that GCP Kubernetes Engine Clusters have HTTP load balancing 


CID 52043: Ensure Network policy is enabled on Kubernetes Engine Clusters 


CID 52044: Ensure that GCP Kubernetes Engine Clusters have Alpha cluster feature 
disabled 


CID 52045: Ensure Kubernetes Cluster is created with Alias IP ranges enabled 


CID 52046: Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine 
Clusters 


CID 52047: Ensure Kubernetes Cluster is created with Private cluster enabled 


CID 52048: Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets 


CID 52049: Ensure default Service account is not used for Project access in Kubernetes 
Clusters 


CID 52050: Ensure Kubernetes Clusters created with limited service account Access scopes 
for Project access 


CID 52051: Ensure Stackdriver Kubernetes Engine Monitoring is set to Enabled on 
Kubernetes Engine Clusters 
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C 
cl 


D 52052: Ens 
uster 


D 52053: Ens 
D 52101: Ens 


D 52102: Ens 
ode image 


D 52103: Ens 


D 52104: Ens 
lusters 


D 52105: Ens 
Engine Cluster 


D 52117: Ens 
ustomer-Man 


CID 52129: Ens 
impersonation 


CID 52130: Ens 
(GKE) cluster n 


C 
G 
G 
N 
C 
G 
C 
C 


C 
C 


D 52131: Ens 
D 52079: Ens 


147: Ens 
rovider 


143: Ens 
127: Ens 
D 52144: Ens 
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ure that Application-Layer secret encryption is enabled for Kubernetes 


ure that Master authorized network is enabled for Kubernetes cluster 
ure Binary Authorization is set to Enabled on Kubemetes Engine Clusters 


ure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters 


ure GCP Kubernetes Engine Clusters are not using the default network 


ure that network traffic egress metering is enabled on Kubernetes Engine 


ure that legacy compute engine metadata endpoint for GCP Kubernetes 
Node is disabled 


ure that data at rest available on your GKE clusters is encrypted with 
aged Keys. 


ure that your GKE clusters nodes are shielded to protect against 
attacks. 


ure that Integrity Monitoring is enabled for your Google Kubernetes Engine 
odes. 


ure that the Secure Boot feature is enabled for your Google Kubernetes 
uster nodes. 


ure that Google Kubernetes Engine (GKE) clusters have sandbox enabled 


ure that Google Kubernetes Engine (GKE) clusters have workload identity 
ure Image Vulnerability Scanning using GCR Container Analysis or a third- 


ure the GKE Metadata Server is Enabled 


ure Kubernetes Clusters are configured with Labels 


ure the GKE Release Channel is set 


GCP Cloud SQL Best Practices Policy 


We have GCP Cloud SQL Best Practices Policy that covers Cloud SQL Service of Google 
Cloud Platform. The controls in this policy are targeted only towards Cloud SQL service. 


Cloud SQL- PostgreSQL 


Cloud SQL- My 


sql 


Cloud SQL - SQL Server 
Cloud SQL - SQL 
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Cloud SQL- PostgreSQL 


G 
is 
C 
C 


C 


(CMKs). 


G 


D 52107: Ens 
enabled 

D 52152: Ens 
D 52128: Ens 


D 52154: Ens 


ure that Cloud SQL - PostgreSQL database instance Point-in-time recovery 


ure that production PostgreSQL database instances are configured to 


automatically fail over to another zone within the selected cloud region. 


ure that PostgreSQL database instances have the appropriate configuration 


set for the "max_connections" flag. 


ure that PostgreSQL instances are encrypted with Customer-Managed Keys 


D 52149: Ens 


ure that Cloud SQL PostgreSQL instance server certificates are rotated 


(renewed) before their expiration. 


Cloud SQL- Mysql 


G 


enabled 


C 


C 


G 


€ 


MySQL 


(CMKs). 


D 52106: Ens 


D 52121: Ens 


D 52122: Ens 


D 52146: Ens 


D 52150: Ens 


ure that Cloud SQL Mysql database instance Binary logs configuration is 


ure that production MySQL database instances are configured to 


automatically fail over to another zone within the selected cloud region. 


ure that MySQL database servers are using the latest major version of 


database. 


ure that MySQL instances are encrypted with Customer-Managed Keys 


ure that Cloud SQL MySQL instance server certificates are rotated 


(renewed) before their expiration. 


Cloud SQL - SQL Server 


C 
in 
C 
a 


C 


G 


D 52097: Ens 
stance is set 


D 52153: Ens 


D 52155: Ens 


(CMKs). 


D 52151: Ens 


ure ‘default trace enabled’ database flag for Cloud SQL - SQL Server 
to 'on' 


ure that production SQL Server database instances are configured to 


utomatically fail over to another zone within the selected cloud region. 


ure that SQL Server instances are encrypted with Customer-Managed Keys 


ure that Cloud SQL - SQL Server instance certificates are rotated (renewed) 


before their expiration 


Cloud SQL - SQL 


CID 52119: Ensure that MySQL database instances have the "slow_query_log" flag set to On 
(enabled) 
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